On Wed, 10 Jun 2009, Karsten König wrote:
The to be used tarball often has md5 sum or other hash on project downloadpage, why not introduce a hashfield for every source in the spec that needs to match the hashsum of the tarball, so a reviewer only needs to verify the hashsums in the .spec files match the ones from project download page, then the ball about malicous code is upstream =)
With FreeBSD we have been doing this for ages, including MD5 and SHA hashes as well as the file size as part of the equivalent of spec there. It's been working pretty well, so I recommend we do this for openSUSE, too. Gerald -- Dr. Gerald Pfeifer E gp@novell.com SUSE Linux Products GmbH Director Product Management T +49(911)74053-0 HRB 16746 (AG Nuremberg) openSUSE/SUSE Linux Enterprise F +49(911)74053-483 GF: Markus Rex