On Tue, Nov 24, 2009 at 10:33:16 -0500,
Todd Zullinger <tmz(a)pobox.com> wrote:
What I'm here for is to gather ideas for how to properly go about
building the mingw32-sha256sum and keeping it around so that when I
extract the sha256sum.exe and upload it to
fedoraproject.org we will
have the koji built rpm to compare the binary against. Otherwise, the
whole process falls back to "Trust that Todd didn't trojan the
executable." And while I'd be flattered if folks had that much trust
in me, I think it would be unwise to encourage or expect. :)
I was thinking about what the gpl requirements are for publishing
executables built with mingw are for another project that might be
set up on fedorahosted. Since mingw stuff is likely to include staticly
linked libraries, I think you need to have pointers to the sources for
the versions of all of the included libraries.
So while I haven't asked someone about this before, I was thinking that
I would probably need to determine the libraries that got linked in and
then note the versions that were used to do the build and include links
into koji for all of the involved src rpms prominently on the download
page.