On Wed, Jan 02, 2019 at 11:59:51AM -0500, Charles A Daniels wrote: [...] > > If that happens and the distfiles prove unstable we will need to do > > *something* though .. and we won't be the only ones, any packagers that > > check distfiles (either by hashes or by pgp signatures as is more common > > on Linux) will need stable files to do that. > > What doe the Debian guys do? I know they are pretty big on re- > producible builds. I was not able to figure out how they validate the > distfiles from the about page for the re-producible builds initiative. > Maybe we could reach out to the Debian mailing list about this - they > surely have the same problem and have either solved it, or are working > on solving it.
Debian doesn't fetch from external sources. The developer generates a tarball from the program source and upload it to their servers. -- Juan Francisco Cantero Hurtado http://juanfra.info
