From dev-return-13497-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Fri Nov 26 21:15:28 2010
Return-Path: <dev-return-13497-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 45440 invoked from network); 26 Nov 2010 21:15:28 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 26 Nov 2010 21:15:28 -0000
Received: (qmail 30823 invoked by uid 500); 26 Nov 2010 21:15:27 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 30754 invoked by uid 500); 26 Nov 2010 21:15:27 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 30743 invoked by uid 99); 26 Nov 2010 21:15:27 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Nov 2010 21:15:27 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with SMTP; Fri, 26 Nov 2010 21:15:25 +0000
Received: (qmail 45397 invoked by uid 99); 26 Nov 2010 21:15:03 -0000
Received: from localhost.apache.org (HELO [192.168.1.44]) (127.0.0.1)
  (smtp-auth username nslater, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Nov 2010 21:15:03 +0000
Subject: Re: tracking upstream dependencies
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Noah Slater <nslater@apache.org>
In-Reply-To: <AANLkTinqNDGh48kyuVF+TwDpJcJkDCB6qAuTcVJut3S-@mail.gmail.com>
X-Noah: Awesome
Date: Fri, 26 Nov 2010 21:15:00 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <59B1BE6C-F6F3-4F22-AA48-6F359F0D2CAD@apache.org>
References: <ECEAA970-0AF4-412C-9024-D3A5E6DC7DD4@apache.org> <1CBC88DB-1931-48A4-A4D7-065B162E7F8C@apache.org> <AANLkTinqNDGh48kyuVF+TwDpJcJkDCB6qAuTcVJut3S-@mail.gmail.com>
To: dev@couchdb.apache.org
X-Mailer: Apple Mail (2.1082)
X-Virus-Checked: Checked by ClamAV on apache.org


On 26 Nov 2010, at 20:58, Dirkjan Ochtman wrote:

> On Fri, Nov 26, 2010 at 21:44, Noah Slater <nslater@apache.org> wrote:
>> But assuming we got this working, we face the problem of not being =
able to apply our own patches. Also, the software it downloads might =
have some bug in it that was introduced a week, day, or hour before the =
release was made. How would we defend ourselves against this?
>=20
> You pull a specific version tarball and check it against a checksum?

If we have a checksum, what's the point?

Why not just include the original source the checksum is taken from?=