[poppler] verify of released packages?
Thomas Jarosch
thomas.jarosch at intra2net.com
Tue Aug 21 07:28:26 UTC 2018
Good morning Albert,
On Monday, 20 August 2018 23:45:14 CEST Albert Astals Cid wrote:
> > > You mean you're afraid somebody hacked on freedesktop git and
> > > replaced
> > > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0
> > > to a different commit than the one that I originally tagged?
> >
> > I think he meant the tarballs, which in Poppler are released without
> > any checksum.
>
> Ah, right, i was thinking he meant the git hash and not the hash of the
> tarball itself :D
>
> I guess i can sign the packages, i'm doing it when releasing KDE
> Applications so it's not more work.
thank you very much, it's highly appreciated!
Yes, I meant the tarballs. The same thing theoretically applies to an
*unsigned* git tag, but if someone manages to replace that, other people
will notice very soon on the next update to their local tree.
-> a signed tarball will do :)
> I'll try to remember for next release.
for releases of libftdi (=library for certain USB serial converters),
I started to create a release checklist:
http://developer.intra2net.com/git/?p=libftdi;a=blob;f=doc/release-checklist.txt
Over the years it were just too many steps to remember :)
Cheers,
Thomas
More information about the poppler
mailing list