BTW, there is this proposal: https://github.com/rpm-software-management/rpm/issues/463
Vít Dne 25. 07. 19 v 11:17 Joe Orton napsal(a): > On Wed, Jul 24, 2019 at 11:15:26PM +0200, Igor Gnatenko wrote: >> Hello, >> >> we've got new section in Packaging Guidelines about verifying upstream >> sources[0] with GPG. Please use it whenever possible :) >> >> Thanks! >> >> >> [0] >> https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > It seems completely daft doing this at build time. > > In the historic CVS-based build system which predated what we now use, > we could do GPG key verification at the time of downloading and > importing a new tarball. This makes FAR more sense to me than checking > the signature on the same tarball every build. > > We'd put the set of trusted GPG keys in the repository alongside the > spec file, using some standard filename, and the build system would try > check the .asc against the keys when downloading (or uploading? I can't > remember) a new tarball. This would ensure the tarball uploaded to the > lookaside cache was trusted. > > Regards, Joe > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
