Joseph Myers <jos...@codesourcery.com> writes: > On Wed, 14 Sep 2016, Moritz Klammler wrote: > >> be cleaner to only include those checksums that are actually needed. On >> the other hand, it means an increased maintenance burden each time the >> version of the dependency is changed. In order to mitigate this and > > I really don't see it as an increased burden. The maintainer shouldn't be > using the checksum files on the server at all. What they should do is: > > * Download the tar file from ftp.gnu.org (at least for GMP / MPFR / MPC), > *verify the GPG signature* and test with it. (I'm not sure if the GNU > keyring is currently published.) The GPG signatures on ftp.gnu.org are > from the maintainer who uploaded the package, whereas the checksum files > on gcc.gnu.org are automatically generated from cron. (I don't know if a > secure way to download ISL from its origin has been added since > <https://gcc.gnu.org/ml/gcc/2016-07/msg00003.html> raised the issue.) > > * Update the script and the to-be-checked-in checksums, using the file > they just downloaded and verified the signature of. > > * Add the new file to the server before the script changes get checked in.
Ok, I didn't know about the workflow. Do you think I should dike the `--strip-sums` option out again then?