What to do if upstream does not provide hashes for tarballs?
Leo Singer
aronnax at macports.org
Tue Nov 25 22:40:28 PST 2014
Hi,
I maintain one port (ds9) for which the upstream source tarball is posted on an http (no TLS) server. When I uploaded the initial version of the port, I recorded the hashes that I calculated from the tarball. There is an update available. I asked the developer if he could put a cryptographic hash on an https server. He sent me an RMD160 and a SHA1 hash, but in an unsigned e-mail. So technically, I have no way to check that the sources have not been tampered with. I don't think upstream has the resources to set up an https server.
Am I being way too paranoid? Should I just take the sources and hashes that I have?
I have tried to check the sources against the Debian package, but the Debian maintainer checked in just a subset of the upstream source because there are several dependencies bundled with it.
This is not a security-critical package, but it is used widely, perhaps daily, by people in my domain.
Thanks,
Leo Singer
More information about the macports-dev
mailing list