[CentOS-devel] Validating Sources

Mon Jul 7 09:39:49 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 07/07/2014 10:36 AM, Nico Kadel-Garcia wrote:
> On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh <mail-lists at karan.org> wrote:
>> hi,
>> given that srpms contain upstream tarballs, in most cases directly
>> linked from upsream; I wonder if its worth while setting up a service
>> that can track git commits, extract the urls for our lookaside tarballs
>> and compare them with the upstream projects's release tarballs.
>> this would be a great addition to the ci.dev.centos.org infra, and could
>> add another data point to the 'can-we-trust-this' mindset.
>> - KB
> When it works, it could be useful for verification of the source
> tarballs. The difficulty I see is that some of the published Source
> URL's are transient. As they become even slightly out of date, many
> projects move aside older versions to an "archive" subdirectory, or
> re-arrange their websites at whim. I ran into this with Nagios last
> year, and software that installs Nagios from tarballs.
> So it's potentially useful, but there's no guarantee that those URL's
> are valid for even 5 seconds after the original SPEC file was written.

would be great to find out how many are.

we could potentially setup cache's - and ensure that there are other
people who also run the same checks, so its not having to trust just a
single source.

Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc