Moin, Am Freitag, 12. Juni 2009 11:26:31 schrieb Marcus Meissner:
Well, the only way to be doing this effectively is to make it mandatory.
For the main repository, I think the other obs repos don't really need such a level of integrity check
If we enforce this to be mandatory there will be quite an outcry, because we did not do this before and it actually causes even more work.
How does this cause more work then " You either trust the submitter, you review the tarball (or its diff) or replace it with a known good one (from the original server)." The first one is easiest, but might not fit everytime, reviewing tarball or diff isn't something feasable, and just upping a knowing good one, well the reviewer could have done that in the first place. Another idea would be to display md5 / sha1 etc sums for all the files in osc and web interface so people can quickly review manually where it makes sense (as in: tarball used)
Also it does not address the issue here tarballs are taken from SVN/GIT/etc checkouts.
Gah, right, but again you don't want to review the whole version? People with higher credibility ranking could sign off the submit + hash sum? Regards, Karsten PS: As Gerald lined out FreeBSD is doing that, Arch Linux is doing that as well =) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org