Hi, On 02/20/2015 03:22 PM, Daniel Micay wrote:
On 20/02/15 09:03 AM, Mark Lee wrote:
I understand that the metadata changed which changed the checksum, but that doesn't really change the question of what to do with source code versioning systems that have changing checksums and the need to supply source code for GPL projects.
Checksums aren't sources. Checksums aren't a proof that the package was built from those sources. Checksums also aren't a valuable security mechanism, unlike the support for GPG verification of sources. They're blindly updated on every release and clobbering release is common... so we've all learned to ignore checksum failures. I don't understand what this has to do with the GPL.
Checksums proof that the sources you downloaded when running makepkg are the same sources the author of the PKGBUILD used. This can be a valuable security measure when those sources are not downloaded on a secure connection (http instead of https and the like). I'm not sure if downloads over the git:// protocol are actually verified, because the transfer is definitely not secure. I do hope so. Greetings, Florian