[Mageia-dev] Will this work for a build system?

Mon Sep 27 12:07:03 CEST 2010

On Monday 27 September 2010, Giuseppe Ghibò wrote:
+> The secure
+> one would download the tarball automatically from the original
+> repositories:
+> 
+> e.g.: suppose there is a package SPEC file containing:
+> 
+> Source: http://blabla.com/openssh-5.5-1.tar.xz
+> Source1: http://blabla.com/openssh-5.5.1.tar.sig
+> 
+> An automatic system would try to retrieve from the http://blabla.com/ site
+> the packages
+> http://blabla.com/openssh-5.5-1.tar.xz, or if not exists
+> http://blabla.com/openssh-5.5-1.tar.bz2 or
+> http://blabla.com/openssh-5.5-1.tar.gz or
+> http://blabla.com/openssh-5.5-1.tar. Then would retrieve the signature
+> http://blabla.com/openssh-5.5.1.tar.sig and would check with the one from
+> the Database of signatures which has been already populated on the secure
+> system. If the signatures checking would match, then tarball would be
+> uploaded to the "secure" system svn and used for building instead of the
+> one from the contributor/package maintainer.
+> 
+> [Of course the system would fail if the package maintainer has downloaded
+> the source tarball from the svn and not from a canonical repository, and to
+> be further secure this system would require also signing of Patches].
+> 
+
+... or just use git, which ensures the source code integrity.
+
+
+-- 
+Say NO to spam and viruses. Stop using Microsoft Windows!
+