hi, given that srpms contain upstream tarballs, in most cases directly linked from upsream; I wonder if its worth while setting up a service that can track git commits, extract the urls for our lookaside tarballs and compare them with the upstream projects's release tarballs. this would be a great addition to the ci.dev.centos.org infra, and could add another data point to the 'can-we-trust-this' mindset. - KB -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc