|
|
|
|
|
|
by riskable
4487 days ago
|
|
|
The whole "package signing" thing can be validated against the source tarball with a bit of due diligence. The key is "source packages". As in, `apt-get source`. See: http://askubuntu.com/questions/28372/how-do-i-get-the-source... When you do that you'll get the original tarball that was used to create the package along with any patches. You can compare that tarball to one you can find on the Internet (usually in more than one location) and they usually have md5/sha1 signatures. The rabbit hole goes very deep and yet there are people (like me!) who actually do do that sometimes. I suspected that the tuxtyping package may have been modified (due to corrupt .wav files being included) and went through the whole rigamarole of validation. I double and triple-checked the signatures against the binaries, sources, and everything else I could find in the package repositories (and mirrors). Turns out it was just some filesystem corruption that added some extra bytes to the tail end of those .wav files. They're harmless. |
|
|