On Wed, 14 Sep 2016, Moritz Klammler wrote: > be cleaner to only include those checksums that are actually needed. On > the other hand, it means an increased maintenance burden each time the > version of the dependency is changed. In order to mitigate this and
I really don't see it as an increased burden. The maintainer shouldn't be using the checksum files on the server at all. What they should do is: * Download the tar file from ftp.gnu.org (at least for GMP / MPFR / MPC), *verify the GPG signature* and test with it. (I'm not sure if the GNU keyring is currently published.) The GPG signatures on ftp.gnu.org are from the maintainer who uploaded the package, whereas the checksum files on gcc.gnu.org are automatically generated from cron. (I don't know if a secure way to download ISL from its origin has been added since <https://gcc.gnu.org/ml/gcc/2016-07/msg00003.html> raised the issue.) * Update the script and the to-be-checked-in checksums, using the file they just downloaded and verified the signature of. * Add the new file to the server before the script changes get checked in. -- Joseph S. Myers jos...@codesourcery.com
