Le jeudi 29 janvier 2009 à 17:45 +0100, Christoph Wickert a écrit :
Sorry, but you did not answer my question. How do you compare it to
something that's not there? Ok, you knew the source, but how would you
know if Sven downloads it correctly, preserves the timestamp etc.? The
answer is: you didn't, but you trust Sven.
Also, I don't really care a lot, because this is something that will
change the first time upstream updates, and will be caught by the BADURL
autochecks anyway. So the value of me spending a lot of time on it
instead of checking the spec and if upstream is legit is rather limited.
And yes some people could try to spoof an upstream and inject malware in
a source, but they could create a web site and propose packaging a file
from this site almost as easily.
> If you want to do something useful, I have a pile of packaging
changes
> in my review queue I'd be happy to pass on to someone obcessing about
> review quality in Fedora.
Then give me some bz # please.
Basically, all the children of
https://bugzilla.redhat.com/show_bug.cgi?id=477044 which saw packager
activity and changes
Especially all the historic packages where all the remaining legacy
cruft may hide packager mistakes in the modernization of the packages.
--
Nicolas Mailhot