Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Bruno Wolff III
bruno at wolff.to
Wed Nov 25 03:32:44 UTC 2009
On Tue, Nov 24, 2009 at 10:33:16 -0500,
Todd Zullinger <tmz at pobox.com> wrote:
>
> What I'm here for is to gather ideas for how to properly go about
> building the mingw32-sha256sum and keeping it around so that when I
> extract the sha256sum.exe and upload it to fedoraproject.org we will
> have the koji built rpm to compare the binary against. Otherwise, the
> whole process falls back to "Trust that Todd didn't trojan the
> executable." And while I'd be flattered if folks had that much trust
> in me, I think it would be unwise to encourage or expect. :)
I was thinking about what the gpl requirements are for publishing
executables built with mingw are for another project that might be
set up on fedorahosted. Since mingw stuff is likely to include staticly
linked libraries, I think you need to have pointers to the sources for
the versions of all of the included libraries.
So while I haven't asked someone about this before, I was thinking that
I would probably need to determine the libraries that got linked in and
then note the versions that were used to do the build and include links
into koji for all of the involved src rpms prominently on the download
page.
More information about the infrastructure
mailing list