What to do if upstream does not provide hashes for tarballs?
Ryan Schmidt
ryandesign at macports.org
Tue Nov 25 23:19:01 PST 2014
On Nov 26, 2014, at 12:40 AM, Leo Singer wrote:
> I maintain one port (ds9) for which the upstream source tarball is posted on an http (no TLS) server. When I uploaded the initial version of the port, I recorded the hashes that I calculated from the tarball. There is an update available. I asked the developer if he could put a cryptographic hash on an https server. He sent me an RMD160 and a SHA1 hash, but in an unsigned e-mail. So technically, I have no way to check that the sources have not been tampered with. I don't think upstream has the resources to set up an https server.
>
> Am I being way too paranoid? Should I just take the sources and hashes that I have?
That's what I do.
More information about the macports-dev
mailing list