[fdo] Authenticating/verifying freedesktop projects source
Marcin Szewczyk
freedesktop at wodny.org
Fri Mar 4 14:16:45 UTC 2016
Hi,
I would like to recompile a version of ModemManager supporting the Voice
interface. That is why I have to use the source code from the master
branch and not the 1.4 version. This also requires me to download libqmi
from a repository, because 1.12 is too old for this. How do I verify the
source?
Unfortunately:
- nor git commits, nor tags seem to be signed,
- HTTPS-accessible source archives include only those that are
stable (e.g. https://www.freedesktop.org/software/ModemManager/)
and there are no SUMS files signed by anybody.
Is it the safest method to git clone from URLs like the following ones?
- https://anongit.freedesktop.org/git/ModemManager/ModemManager.git
- https://anongit.freedesktop.org/git/libqmi
Some of freedesktop's cgit pages suggest to use http:// links. Luckily,
same links work with https://. But contrary to the ModemManager's cgit
page, the libqmi cgit page doesn't contain the http:// link, only git://
and ssh:// links. Nevertheless, the https:// link to the libqmi
repository works.
Should I request an SSH account[1] with read-only access to projects I
want to clone? How do I obtain the host's fingerprint?
[1] https://www.freedesktop.org/wiki/AccountRequests/
Regards,
--
Marcin Szewczyk
http://wodny.org
More information about the freedesktop
mailing list