On Thu, Feb 9, 2017 at 12:53 PM, Jonathan Wakely via Boost
Even if you trust Fedora infrastructure (and thus don't check the hash when the archive is downloaded from there), the hash should still have been verified when the archive was first downloaded from SourceForge. At that point updating the Fedora servers should have failed.
Checking the hash is a manual process that should be done by the maintainer, it can't cause updating the Fedora servers to fail (the infrastructure can't check the hash because it doesn't know what to compare it to). I screwed that up for the first cycle of rebuilds I did for Boost 1.63.0.
IMO checking hashes should be an automatic process.. You pass the hash and the URL to the downloader, which shouldn't return any data if the hash doesn't match.. -- Olaf