On 20/02/15 09:03 AM, Mark Lee wrote:
No... the integrity check not matching is not because an out-of-tree source tree was used. The checksums are certainly not there to improve security, that's what GPG signatures are for.
The checksums are there for integrity. The GPG signatures only confirm the packager built the package. My question is if a packager's PKGBUILD fails a checksum and the license is GPL, how does the packager fullfill their requirement to provide the source code? How does the packager prove that the source was used to build the binaries, especially when there are hash collisions in md5? The packager seems to offset the source code necessities by grabbing the source from upstream, but the checksums don't match...
I understand that the metadata changed which changed the checksum, but that doesn't really change the question of what to do with source code versioning systems that have changing checksums and the need to supply source code for GPL projects.
Regards, Mark
This is Arch's way of complying with the GPL: https://sources.archlinux.org/ It should really be generated by devtools instead of on the server, sure, but either way it "proves" nothing. The packager can trivially build the package with different sources... if you don't trust us, then you have bigger problems and nothing short of examining the compiled code is going to prove anything. This is why people care about deterministic, reproducible builds: https://wiki.debian.org/ReproducibleBuilds It makes it possibly to audit binary builds sanely.