Subject: Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?
From: Olaf van der Spek (ml_at_[hidden])
Date: 2017-02-10 08:30:20
On Thu, Feb 9, 2017 at 12:53 PM, Jonathan Wakely via Boost
>> Even if you trust Fedora infrastructure (and thus don't check the hash
>> when the archive is downloaded from there), the hash should still have
>> been verified when the archive was first downloaded from SourceForge.
>> At that point updating the Fedora servers should have failed.
> Checking the hash is a manual process that should be done by the
> maintainer, it can't cause updating the Fedora servers to fail (the
> infrastructure can't check the hash because it doesn't know what to
> compare it to). I screwed that up for the first cycle of rebuilds I
> did for Boost 1.63.0.
IMO checking hashes should be an automatic process..
You pass the hash and the URL to the downloader, which shouldn't
return any data if the hash doesn't match..
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk