About News Download Docs Forum Bugs Contact





Source integrity checking standards

Note: a single physical server can not be used to provide more than one verification source. To use e.g. a key posted on the primary site as a source and a project mailing list post as a second source the ML post must be available from a location other than the primary site.

"Verification" means that the fingerprint retrieved in the above method matches the fingerprint of the key to be included in the grimoire. For example, getting the key from the primary upstream site and comparing the fingerprint against the same key from a keyserver and a fingerprint published to the relevant project's mailing list counts as three methods.

Users can set preferences to indicate the types of verification they are willing to accept. Any method not in their list is counted as a verification failure, at which point the existing user preference for how to deal with verification failures applies (ignore, continue, etc.).

Levels WORKS_FOR_ME through VERIFIED_UPSTREAM_HASH apply to spells using SOURCE_HASH or that are guru-signed. Level UPSTREAM_KEY through ID_CHECK_UPSTREAM_KEY apply to vendor-signed sources. If no level is specified in SOURCE_HASH/SOURCE_GPG, level WORKS_FOR_ME is assumed.

Note that if you are using an upstream key this means you should at least set the level to UPSTREAM_KEY. Sorcery can't tell the difference between an upstream signature and a guru signature.

Those are the reasons for ignoring the source code validation. Signatures are silently ignored (i.e. not printed to user). Everything else respects MD5SUM_DL, which is deprecated.

Bugs classification