On Wed, 2016-08-10 at 23:54 +0200, Bjoern Voigt wrote:
But I wonder how we check the integrity of source code archives in the openSUSE Build service? I never saw any checksums or PGP signatures in build service projects. Of course one problem is, that it's not always easy to find reliable checksums or signatures for any upstream project.
There are various levels used (at least for openSUSE:Factory - the farther away you get (devel / home:) the less those are given facts: * if a full URL is specified to a tarball, OBS will try to download it from there byitself and compare the tarball vs the one submitted by the users. If they do not match - it is declined (ensuring that what the user submits is what we would get from the upstream website) * If the package comes with GPG signatures, they are verified as well. For this, the packager has to add a .keyring file with the public key of the project in question (no global catalog maintained - package maintainers have the responsibility here) This is for example done in PackageKit: https://build.opensuse.org/package/show/openSUSE:Factory/PackageKit There you see next to the tarball a .keyring file (currently holds 2 public keys of the two main devs), a .asc file (the actual signature of the tarball) Whenever this package is being submitted to openSUSE:Factory, the signature is being verified. (osc build does the same locally, so you are always sure of good tarballs here). And as usual, the resulting rpm is signed with the repo key - which is basically what the user hopefully *can* trust... giving the indication that what he receives is what he is supposed to receive. IIRC, there is also support for sha checksum's, but I'd have to look it up. So at least for upstreams providing this information, we can 'easily' verify them when properly integrated into the package. But, as you said yourself: not all upstreams provide an easy method to validate it. And I don't think it makes sense if any packager is to produce checksum files - they can't be trusted much more than any random file on the internet. The package would barely have a chance to verify that his download of the tarball had not already been tampered with. Cheers, Dominique