[CentOS-devel] Validating Sources
Karanbir Singh
mail-lists at karan.orgMon Jul 7 09:39:49 UTC 2014
- Previous message: [CentOS-devel] Validating Sources
- Next message: [CentOS-devel] Validating Sources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 07/07/2014 10:36 AM, Nico Kadel-Garcia wrote: > On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh <mail-lists at karan.org> wrote: >> hi, >> >> given that srpms contain upstream tarballs, in most cases directly >> linked from upsream; I wonder if its worth while setting up a service >> that can track git commits, extract the urls for our lookaside tarballs >> and compare them with the upstream projects's release tarballs. >> >> this would be a great addition to the ci.dev.centos.org infra, and could >> add another data point to the 'can-we-trust-this' mindset. >> >> - KB > > When it works, it could be useful for verification of the source > tarballs. The difficulty I see is that some of the published Source > URL's are transient. As they become even slightly out of date, many > projects move aside older versions to an "archive" subdirectory, or > re-arrange their websites at whim. I ran into this with Nagios last > year, and software that installs Nagios from tarballs. > > So it's potentially useful, but there's no guarantee that those URL's > are valid for even 5 seconds after the original SPEC file was written. would be great to find out how many are. we could potentially setup cache's - and ensure that there are other people who also run the same checks, so its not having to trust just a single source. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc
- Previous message: [CentOS-devel] Validating Sources
- Next message: [CentOS-devel] Validating Sources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS-devel mailing list