[Mageia-dev] Will this work for a build system?
P. Christeas
p_christ at hol.gr
Mon Sep 27 12:07:03 CEST 2010
On Monday 27 September 2010, Giuseppe Ghibò wrote:
> The secure
> one would download the tarball automatically from the original
> repositories:
>
> e.g.: suppose there is a package SPEC file containing:
>
> Source: http://blabla.com/openssh-5.5-1.tar.xz
> Source1: http://blabla.com/openssh-5.5.1.tar.sig
>
> An automatic system would try to retrieve from the http://blabla.com/ site
> the packages
> http://blabla.com/openssh-5.5-1.tar.xz, or if not exists
> http://blabla.com/openssh-5.5-1.tar.bz2 or
> http://blabla.com/openssh-5.5-1.tar.gz or
> http://blabla.com/openssh-5.5-1.tar. Then would retrieve the signature
> http://blabla.com/openssh-5.5.1.tar.sig and would check with the one from
> the Database of signatures which has been already populated on the secure
> system. If the signatures checking would match, then tarball would be
> uploaded to the "secure" system svn and used for building instead of the
> one from the contributor/package maintainer.
>
> [Of course the system would fail if the package maintainer has downloaded
> the source tarball from the svn and not from a canonical repository, and to
> be further secure this system would require also signing of Patches].
>
... or just use git, which ensures the source code integrity.
--
Say NO to spam and viruses. Stop using Microsoft Windows!
More information about the Mageia-dev
mailing list