On Fri, 2 Apr 2004 10:38:54 +0200, Patrice Dumas wrote: > > - Download of the sources, with md5sum check > > Maybe the download should't be automatic, such that it is possible to check > that the download url is really the right url (presumably searching first the > project home page with google, in order not to use the url provided in the > srpm, and verifying that it is the right download page), and not one with > bad package ? Reviewers should also notice when upstream projects provide detached GPG signatures, which can be used to verify the published tarballs.
