[Xapian-discuss] How can I trust the xapian openSUSE packages?

[Olly Betts]

On Mon, Nov 19, 2007 at 06:58:47PM +0100, Gregor Schmid wrote:
> The SUSE RPMs for xapian are provided on the openSUSE build service
> and though I'm pretty sure that they were placed there by some of the
> xapian developers, it is not clear how our provider can verify that.

Assuming you mean those linked to from the download page on xapian.org,
they aren't maintained by any Xapian developers, but I think those
responsible are SuSE developers (3 of the 4 listed on the build service
have @novell.com email addresses at least).  I believe some of them read
this list.

I also have an account on their buildservice which I use for testing
builds, but these aren't intended for public consumption.

> On the Build Service website there is talk about a trust relationship
> and a rating mechanism, but none of this seems to be implemented.

I don't know about this.

> If there's no such mechanism, would it possible for you to assist
> verification by, for example, publishing an MD5 hash for the latest
> packages on the xapian.org website? Our provider would be willing to
> trust a package downloaded directly from the authors, i.e.
> www.xapian.org and posting such a hash for externally provided
> packages could create the same level of trust for those.

I don't have a way to easily verify the contents of those packages, so
publishing a hash for them on xapian.org wouldn't actually provide a
valid reason for trusting them more than you would otherwise.

> Ideas, alternative suggestions, fedback from other users of the xapian
> SUSE RPMs etc. would be greatly appreciated.

If they're only willing to trust downloads from xapian.org, building from
source seems the obvious approach - there's a spec file in each tarball
so rpmbuild can work directly from them.  I can see hosting companies
not being so keen on that though.

Or find a provider who offers virtual servers - that way installing
packages for you doesn't effect other users.

Cheers,
    Olly