w?
sha256:146d2d673358b7927d9a3c74e22b6b0e7f9a1aee2a4307afbe6ac07f12764130?
sha256:599ff98cbab933a8b3640a084b12a5308a20795c192855ee454a8c1c16fa4dac?
Both?
cheers,
kpcyrd
to be).
A "source code build process" is clearly just the build process in a
trenchcoat.
cheers,
kpcyrd
e to better use.
Or perhaps stop using tarballs in Debian as sole permitted
form of source.
I'd be fine with that.
cheers,
kpcyrd
On 4/3/24 4:21 AM, Adrian Bunk wrote:
On Wed, Apr 03, 2024 at 02:31:11AM +0200, kpcyrd wrote:
...
I figured out a somewhat straight-forward way to check if a given `git
archive` output is cryptographically claimed to be the source input of a
given binary package in either Arch Linux or Debian
posed to give guidance on what to code review. This is also why I
think code signing by upstream is somewhat low priority, since the big
distros can form consensus around "what's the source code" regardless.
https://github.com/kpcyrd/backseat-signed
The README shows how to veri
or defunct tho, please do not make assumptions unless
you tested them, many of them have a `check:` section for automatic
integration testing):
https://github.com/kpcyrd/sh4d0wup
The name is derived from "shadow updates" that carry a valid signature
(through private key abuse) b
6 matches
Mail list logo
