vsftpd in the news
Michael Schwendt
mschwendt at gmail.com
Tue Jul 5 10:31:38 UTC 2011
On Tue, 05 Jul 2011 11:01:15 +0200, AS (Andreas) wrote:
> > The uploaded tarball checksum enters the "sources" file in git, and any
> > tarball downloaded from the lookaside cache MUST match that checksum.
> > Else it wouldn't be downloaded and used. Source RPM build in koji would
> > fail.
>
> That won't help if the tarball is already defective when uploaded. The
> checksum is basically only used to identify the blob in the cache, at
> most to detect cache corruptions.
And I didn't claim otherwise.
The post I replied to already had mentioned:
| For Fedora, package maintainers are responsible for uploading verified
| tar balls to the fedora build system.
More information about the devel
mailing list