[CentOS-devel] Validating Sources

Mon Jul 7 09:36:50 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh <mail-lists at karan.org> wrote:
> hi,
> given that srpms contain upstream tarballs, in most cases directly
> linked from upsream; I wonder if its worth while setting up a service
> that can track git commits, extract the urls for our lookaside tarballs
> and compare them with the upstream projects's release tarballs.
> this would be a great addition to the ci.dev.centos.org infra, and could
> add another data point to the 'can-we-trust-this' mindset.
> - KB

When it works, it could be useful for verification of the source
tarballs. The difficulty I see is that some of the published Source
URL's are transient. As they become even slightly out of date, many
projects move aside older versions to an "archive" subdirectory, or
re-arrange their websites at whim. I ran into this with Nagios last
year, and software that installs Nagios from tarballs.

So it's potentially useful, but there's no guarantee that those URL's
are valid for even 5 seconds after the original SPEC file was written.