[poppler] verify of released packages?
Albert Astals Cid
aacid at kde.org
Tue Aug 21 18:26:34 UTC 2018
El dimarts, 21 d’agost de 2018, a les 9:28:26 CEST, Thomas Jarosch va escriure:
> Good morning Albert,
>
> On Monday, 20 August 2018 23:45:14 CEST Albert Astals Cid wrote:
> > > > You mean you're afraid somebody hacked on freedesktop git and
> > > > replaced
> > > > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0
> > > > to a different commit than the one that I originally tagged?
> > >
> > > I think he meant the tarballs, which in Poppler are released without
> > > any checksum.
> >
> > Ah, right, i was thinking he meant the git hash and not the hash of the
> > tarball itself :D
> >
> > I guess i can sign the packages, i'm doing it when releasing KDE
> > Applications so it's not more work.
>
> thank you very much, it's highly appreciated!
>
> Yes, I meant the tarballs. The same thing theoretically applies to an
> *unsigned* git tag, but if someone manages to replace that, other people
> will notice very soon on the next update to their local tree.
>
> -> a signed tarball will do :)
>
> > I'll try to remember for next release.
>
> for releases of libftdi (=library for certain USB serial converters),
> I started to create a release checklist:
> http://developer.intra2net.com/git/?p=libftdi;a=blob;f=doc/release-checklist.txt
Don't worry, i have a checklist ;)
Cheers,
Albert
>
> Over the years it were just too many steps to remember :)
>
> Cheers,
> Thomas
>
>
>
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
More information about the poppler
mailing list