John>ok, thats fine.
John>sorry, I thought you were referring to pulling the whole source out of git.
The missing part is the checksum & gpg.
In other words, you have no idea what should be the checksum of the
"tarball" you are about to download.
And you are not sure if the checksum itself came from a trusted source.
Something like sha1sum.txt.asc should do the trick I suppose.
Note: current https://jdbc.postgresql.org/download.html does not list
checksums & signatures.
I think I can configure addition of "sha1sum.txt.asc" files like in
[1] to pgjdbc's releases page (see [2])
Alternative source can be Maven Central (see [3]).
It is a "standardized" repository with checksums and gpg signatures.
However, if we pick Central as the source of the tarballs, then we'd
better create yet another flavor of a tarball that would not include
jar dependencies, etc, etc.
In other words, "just a build-ready tarball" with no extra stuff.
The drawback of that approach is that tarball would be a build
artifact, and the upstream would never use it to produce "authentic"
build artifacts.
Any thoughts?
[1]: https://github.com/syncthing/syncthing/releases
[2]: https://github.com/pgjdbc/pgjdbc/releases
[3]: https://oss.sonatype.org/content/repositories/releases/org/postgresql/postgresql/9.4.1207/
Vladimir