binutils snapshot builds
Sam James
sam@gentoo.org
Thu May 23 23:37:00 GMT 2024
Mark Wielaard <mark@klomp.org> writes:
> Hi Frank,
>
> On Thu, May 23, 2024 at 10:57:41AM +0200, Frank Scheiner wrote:
>> On 23.05.24 00:08, Mark Wielaard wrote:
>> >It gets regenerated every 15 minutes, if there have been any changes
>> >since the last build. The latest can always be found here:
>> >
>> >https://snapshots.sourceware.org/binutils/trunk/latest/src/
>>
>> Much obliged, this will be very useful for what I have in mind for ia64.
>>
>> I looked into it and also the snapshots for other projects like glibc
>> and I didn't find any hash sums that accompany the tarballs available
>> for download. I wonder, is there maybe a way to serve the tarballs
>> **and** their hash sums for consumption by external parties?
>>
>> I mean, yeah, it's already served via HTTPS, but I still would like to
>> know if what was downloaded was also downloaded correctly.
>
> Do note that these snapshots are generated totally automatically, it
> could right after a bad/accidental commit. Nobody double checks any of
> the snapshots (except that they could be generated). So please don't
> trust them even if some checksum (which would also be generated
> automatically) matches.
This is fine as I already check the diff before using it anywhere
non-automated.
But I would appreciate if you could consider signing them with an
automated key, at least for the GCC snapshots (which are stored
elsewhere), because we currently grab them from mirrors to avoid
overloading sourceware. But we have no way of verifying mirrors didn't
tamper...
>
> That said, we could generate sha512.sum files in each directory.
> Like we do on https://sourceware.org/pub/binutils/releases/
>
> Would that be useful?
>
> I think it is just noise though. It might make the snapshots look more
> trustworthy than they really are.
>
> Cheers,
>
> Mark
More information about the Binutils
mailing list