Joseph Myers <jos...@codesourcery.com> writes:

> On Wed, 14 Sep 2016, Moritz Klammler wrote:
>
>> be cleaner to only include those checksums that are actually needed.  On
>> the other hand, it means an increased maintenance burden each time the
>> version of the dependency is changed.  In order to mitigate this and
>
> I really don't see it as an increased burden.  The maintainer shouldn't be 
> using the checksum files on the server at all.  What they should do is:
>
> * Download the tar file from ftp.gnu.org (at least for GMP / MPFR / MPC), 
> *verify the GPG signature* and test with it.  (I'm not sure if the GNU 
> keyring is currently published.)  The GPG signatures on ftp.gnu.org are 
> from the maintainer who uploaded the package, whereas the checksum files 
> on gcc.gnu.org are automatically generated from cron.  (I don't know if a 
> secure way to download ISL from its origin has been added since 
> <https://gcc.gnu.org/ml/gcc/2016-07/msg00003.html> raised the issue.)
>
> * Update the script and the to-be-checked-in checksums, using the file 
> they just downloaded and verified the signature of.
>
> * Add the new file to the server before the script changes get checked in.

Ok, I didn't know about the workflow.  Do you think I should dike the
`--strip-sums` option out again then?

Reply via email to