[poppler] verify of released packages?
Albert Astals Cid
aacid at kde.org
Sat Aug 18 16:48:53 UTC 2018
El dissabte, 18 d’agost de 2018, a les 15:41:38 CEST, Thomas Jarosch va escriure:
> Hello Albert,
>
> is there any way to verify the integrity of poppler source releases?
>
> I didn't spot a GPG signature for the tarball
> or a simple SHA256 / MD5 checksum.
>
> If a gpg signature is too much effort, it would already help if there's
> an official sha256sum in the release announcement on the mailinglist.
> (https://lists.freedesktop.org/archives/poppler/2018-July/013275.html)
>
> That would help to verify the download server has not been tampered with.
You mean you're afraid somebody hacked on freedesktop git and replaced
https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0
to a different commit than the one that I originally tagged?
Cheers,
Albert
>
> Thanks in advance!
> Thomas Jarosch
>
>
>
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
More information about the poppler
mailing list