There are various levels used (at least for openSUSE:Factory - the farther away you get (devel / home:) the less those are given facts:
* if a full URL is specified to a tarball, OBS will try to download it from there byitself and compare the tarball vs the one submitted by the users. If they do not match - it is declined (ensuring that what the user submits is what we would get from the upstream website) * If the package comes with GPG signatures, they are verified as well. For this, the packager has to add a .keyring file with the public key of the project in question (no global catalog maintained - package maintainers have the responsibility here) This is for example done in PackageKit: https://build.opensuse.org/package/show/openSUSE:Factory/PackageKit
There you see next to the tarball a .keyring file (currently holds 2 public keys of the two main devs), a .asc file (the actual signature of the tarball)
Whenever this package is being submitted to openSUSE:Factory, the signature is being verified. (osc build does the same locally, so you are always sure of good tarballs here).
And as usual, the resulting rpm is signed with the repo key - which is basically what the user hopefully *can* trust... giving the indication that what he receives is what he is supposed to receive.
IIRC, there is also support for sha checksum's, but I'd have to look it up. So at least for upstreams providing this information, we can 'easily' verify them when properly integrated into the package.
But, as you said yourself: not all upstreams provide an easy method to validate it. And I don't think it makes sense if any packager is to produce checksum files - they can't be trusted much more than any random file on the internet. The package would barely have a chance to verify that his download of the tarball had not already been tampered with. Thank you for the detailed information. So I see that the build service has the infrastructure to verify sources on a high and secure level (PGP). The problem I still see is, that not all important Factory packages have
Dominique Leuenberger / DimStar wrote: source code signatures and PGP keys. I think, SHA checksums can be used as a fallback solution if the upstream project does not offer PGP signatures for the source code archives. Every package maintainer can setup own SHA checksums after verification of the sources for instance against different mirrors and with infos from announcement posts. (Even with PGP maintainers can create own PGP signatures for foreign upstream packages. Of course, this sounds like a bad practice, but it's better then nothing.) I searched .keyring and .asc files in same random but important Factory example packages. "yes" means, that the packages are secured with PGP signatures. apache2: no bash: no coreutils: yes cryptsetup: yes glibc: yes gnutls: yes gpg2: yes kernel-source: no krb5: yes openssl: yes PackageKit: yes postfix: no rpm: no samba: yes vim: no xorg-x11-driver-input: no zypper: no Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org