BTW, there is this proposal:

https://github.com/rpm-software-management/rpm/issues/463


Vít



Dne 25. 07. 19 v 11:17 Joe Orton napsal(a):
> On Wed, Jul 24, 2019 at 11:15:26PM +0200, Igor Gnatenko wrote:
>> Hello,
>>
>> we've got new section in Packaging Guidelines about verifying upstream
>> sources[0] with GPG. Please use it whenever possible :)
>>
>> Thanks!
>>
>>
>> [0] 
>> https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification
> It seems completely daft doing this at build time.
>
> In the historic CVS-based build system which predated what we now use, 
> we could do GPG key verification at the time of downloading and 
> importing a new tarball.  This makes FAR more sense to me than checking 
> the signature on the same tarball every build.
>
> We'd put the set of trusted GPG keys in the repository alongside the 
> spec file, using some standard filename, and the build system would try 
> check the .asc against the keys when downloading (or uploading? I can't 
> remember) a new tarball.  This would ensure the tarball uploaded to the 
> lookaside cache was trusted.
>
> Regards, Joe
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to