source not checked with sha256

Bug #1618591 reported by Curtis Hovey on 2016-08-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

The "source" option is not as repeatable or secure as implied in

Specifying a versioned tar file is not truly repeatable if someone tampers with it. Git tags can and are redefined. In the case of git, I believe I can pass a commit hash to be clear about the requirement. I cannot do so for archive files like tar files.

This issue is similar to Homebrew's need to ensure repeatable and safe formulas. That distro added sha256 sums for all downloaded data.

It would be reassuring if we could specify something like "source-sha256"

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers