Source file audit - 2013-11-17

Ville Skyttä ville.skytta at
Thu Nov 21 18:41:21 UTC 2013

On Thu, Nov 21, 2013 at 4:53 PM, Björn Persson
<bjorn at> wrote:
> Ville Skyttä wrote:
>>spectool is not a source verification tool nor a certificate
>>validation one, and I'm not going to help people get the misconception
>>that it might be something like that.
> So how do you think the verification should be done?

Um, source verification needs to be done... by verifying the sources?
Diligence how deep maintainers want to go and their competence levels
vary, but there's really no way around it. Standard procedures for
checking the authenticity of sources should include GPG/signature
checking (if available), checksum checking (if available, hopefully
signed), and cross checking with other consumers (e.g. other distros,
if available). And authenticity checking is not verifying the sources
nor enough -- upstreams make mistakes too, and packagers should really
know what they're shipping, read and understand diffs between releases
etc etc.

> If an upstream project doesn't PGP-sign the tarballs but does make them
> available over HTTPS, then the TLS connection is the only thing that
> ensures that the tarball you receive is the one that the developers
> published.

No, it doesn't, at all. For example the server may have had all its
content compromised and serve all that over an HTTPS connection that
passes whatever validity and authenticity checks one might want to
throw at it.

More information about the devel mailing list