Michael Schwendt <mschwendt(a)gmail.com> writes:
The uploaded tarball checksum enters the "sources" file in
git, and any
tarball downloaded from the lookaside cache MUST match that checksum.
Else it wouldn't be downloaded and used. Source RPM build in koji would
fail.
That won't help if the tarball is already defective when uploaded. The
checksum is basically only used to identify the blob in the cache, at
most to detect cache corruptions.
Andreas.
--
Andreas Schwab, schwab(a)redhat.com
GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E
"And now for something completely different."