[CentOS-devel] Validating Sources
Karanbir Singh
mail-lists at karan.org
Mon Jul 7 09:01:55 UTC 2014
hi,
given that srpms contain upstream tarballs, in most cases directly
linked from upsream; I wonder if its worth while setting up a service
that can track git commits, extract the urls for our lookaside tarballs
and compare them with the upstream projects's release tarballs.
this would be a great addition to the ci.dev.centos.org infra, and could
add another data point to the 'can-we-trust-this' mindset.
- KB
--
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
More information about the CentOS-devel
mailing list