Am 05.04.24 um 13:39 schrieb Olaf Hering:

Thu, 4 Apr 2024 11:53:45 +0200 Michael Pujos <pujos.michael@gmail.com>:

Are these already checked to verify the .obscpio is legit ?

It should have been rejected right away be the bot.
A tag has no meaning, a tag can refer to anything.
Only the full 40 char git hash is hard to fake.


Olaf

Why would the bot reject it? The bot should be able check the result of the tag based checkout with the recorded hash during obs commit.

It's the same with Source URL lines in the specfile directly. The Github download URL to a release asset or tag tar archive, which usually corresponds to a version is under control of upstream. The content can change. But then the source validator bot detects a change of the file's hash sum and issues a warning.

- Ben