Re: [PATCH] Add Travis-CI config file.

Subject: Re: [PATCH] Add Travis-CI config file.

Date: Fri, 09 May 2014 16:05:01 -0300

To: Wael M. Nasreddine, notmuch@notmuchmail.org

Cc:

From: Daniel Kahn Gillmor

On 05/09/2014 11:19 AM, Wael M. Nasreddine wrote:
> ---
>  .travis.yml | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>  create mode 100644 .travis.yml
> 
> diff --git a/.travis.yml b/.travis.yml
> new file mode 100644
> index 0000000..8d92cdc
> --- /dev/null
> +++ b/.travis.yml
> @@ -0,0 +1,10 @@
> +language: c
> +before_install:
> +  - sudo apt-get update -qq
> +  - wget 'https://launchpad.net/ubuntu/+archive/primary/+files/zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb'
> +  - wget 'https://launchpad.net/ubuntu/+archive/primary/+files/zlib1g_1.2.8.dfsg-1ubuntu1_amd64.deb'
> +  - sudo dpkg -i zlib1g-dev_1.2.8.dfsg-1ubuntu1_amd64.deb zlib1g_1.2.8.dfsg-1ubuntu1_amd64.deb

The above strikes me as a problem waiting to happen.

If there are specific versions of zlib that need to be installed, and we
know what the package is that needs to be installed, at the very least,
the scripts to fetch each package should verify a strong cryptographic
digest of the package before directly installing it from the network.

if the digest doesn't match, then the script should abort with a
failure, before installing the packages.

	--dkg
signature.asc (application/pgp-signature)

Thread: