[CentOS-devel] Validating Sources
Karanbir Singh
mail-lists at karan.org
Mon Jul 7 09:39:49 UTC 2014
On 07/07/2014 10:36 AM, Nico Kadel-Garcia wrote:
> On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh <mail-lists at karan.org> wrote:
>> hi,
>>
>> given that srpms contain upstream tarballs, in most cases directly
>> linked from upsream; I wonder if its worth while setting up a service
>> that can track git commits, extract the urls for our lookaside tarballs
>> and compare them with the upstream projects's release tarballs.
>>
>> this would be a great addition to the ci.dev.centos.org infra, and could
>> add another data point to the 'can-we-trust-this' mindset.
>>
>> - KB
>
> When it works, it could be useful for verification of the source
> tarballs. The difficulty I see is that some of the published Source
> URL's are transient. As they become even slightly out of date, many
> projects move aside older versions to an "archive" subdirectory, or
> re-arrange their websites at whim. I ran into this with Nagios last
> year, and software that installs Nagios from tarballs.
>
> So it's potentially useful, but there's no guarantee that those URL's
> are valid for even 5 seconds after the original SPEC file was written.
would be great to find out how many are.
we could potentially setup cache's - and ensure that there are other
people who also run the same checks, so its not having to trust just a
single source.
--
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
More information about the CentOS-devel
mailing list