[oss-devel] oss source tarball name
Yair K.
cesium2 at gmail.com
Thu Jan 17 19:28:55 EET 2008
On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote:
> Hi,
>
> While I agree with this, how do we specify the build id in the package
> name?
>
> We can guarantee that whatever is in the stable/$LICENSE is always the
> latest - you will only find ONE bz2 file there.
>
> The other option is we rename as follows:
> sources/stable/oss-4.0-stable-<license>.tar.bz2
> But you never know what version this file is.
>
>
> Yet another option is that we have a symlink:
> LATEST -> oss-4.0-<buildid>-<license>-tar.bz2
> Then you pull down LATEST using wget or whatever.
>
The latter option sounds simplest. Two other thing I'd suggest:
1) Having the newest version already in attic/ . That way, there's already
a stable link if a package system is interested in that particular build.
2) Having a checksum on the server for the source tarballs (LATEST.sha?).
The recent SquirrelMail vulnerability[1] shows that the source poisoning
method is used in the wild. (Yes, an attacker will change the checksum on the
affected server, but a user can verify against a checksum from a different
mirror from the one downloading LATEST). I'm no expert at this, but MD5
sounds like it's about to be broken for verification, so I'd suggest using a
SHA-based method.
[1]
http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw
Yours,
Yair K.
More information about the oss-devel
mailing list