[CentOS-devel] Validating Sources

Mon Jul 7 09:01:55 UTC 2014
Karanbir Singh <mail-lists at karan.org>


given that srpms contain upstream tarballs, in most cases directly
linked from upsream; I wonder if its worth while setting up a service
that can track git commits, extract the urls for our lookaside tarballs
and compare them with the upstream projects's release tarballs.

this would be a great addition to the ci.dev.centos.org infra, and could
add another data point to the 'can-we-trust-this' mindset.

- KB

Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc