Vít Ondruch wrote: > Dne 25. 07. 19 v 8:46 Petr Pisar napsal(a): > > (1) I don't agree this feature is helpful. If we don't trust ./sources > > file content in dist-git, we cannot trust keyring stored in the the same > > dist-git repository. In other words it only brings another code into > > spec files and build process that consumes resources and can fail. > > I had the same objections: > > https://pagure.io/packaging-committee/issue/610#comment-144451 > > https://pagure.io/packaging-committee/issue/610#comment-535982
And in response to that I added the paragraph that explains that a signature by the upstream developers certifies that the source is identical to what they released, not just that the file is the one that the packager uploaded. Policies should come with justification, so thank you for pointing out that the initial draft didn't explain this. Björn Persson
pgp4FhZuhRKo6.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
