[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Neal Gompa (ニール・ゴンパ) notifications at github.com
Mon Jul 26 13:04:32 UTC 2021


> Github is trusted because of in git (i.e. block-chain) it's impossible to have different content under the same hash-tag.

That's not actually true. Git uses SHA1 and collisions have been done to Git with it. That also said, GitHub archives may or may not be reproducible. And Git refs are not guaranteed to be stable either, as people can rewrite or modify them without any notice. The checksums make it so such changes are detected.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-886684247
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210726/38934a65/attachment.html>


More information about the Rpm-maint mailing list