-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/20/2015 03:27 AM, Daniel Micay wrote: > On 19/02/15 11:39 PM, Mark Lee wrote: >> On 02/19/2015 05:46 PM, Mark Lee wrote: >>> On 02/19/2015 05:24 PM, Lukas Jirkovsky wrote: >>>> On 19 February 2015 at 21:42, Doug Newgard >>>> <scimmia@xxxxxxxxxxxxxx> wrote: >>>>> You can't. If upstream provides a checksum, that gives you >>>>> some verification, but since github doesn't, there's no way >>>>> to verify any of it. >>>> >>>> I don't know about github, but with bitbucket the checksums >>>> of these generated tarballs may change occasionally as I had >>>> this issue with luxrender. However, the sources were always >>>> the same, it was the metadata that changed. >>>> >>> >>> How important are checksums to PKGBUILDS then? Should sources >>> with varying checksums just have 'SKIP' in their integrity >>> arrays? >>> >>> Regards, Mark >>> >> >> Furthermore, if the integrity check is different from upstream, >> is a packager obligated to host a copy of the source code for >> GPLed software? >> >> Regards, Mark > > No... the integrity check not matching is not because an > out-of-tree source tree was used. The checksums are certainly not > there to improve security, that's what GPG signatures are for. > The checksums are there for integrity. The GPG signatures only confirm the packager built the package. My question is if a packager's PKGBUILD fails a checksum and the license is GPL, how does the packager fullfill their requirement to provide the source code? How does the packager prove that the source was used to build the binaries, especially when there are hash collisions in md5? The packager seems to offset the source code necessities by grabbing the source from upstream, but the checksums don't match... I understand that the metadata changed which changed the checksum, but that doesn't really change the question of what to do with source code versioning systems that have changing checksums and the need to supply source code for GPL projects. Regards, Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlTnPpgACgkQZ/Z80n6+J/bmMwD7Brg4pcLE6Cewagug1pEIrb5X ZPzsu5wZcm+wEwXFF+YA/R0zlmnr7HApAY/4fCyXGa7/myvFw5KBmAJkf7UdtBpt =eFui -----END PGP SIGNATURE-----