Can someone please review the oclock package? This was orphaned after F35, and I packaged it for myself, and then would like to put it up. It was tentatively approved, but never finally done so. Thanks!
On Tuesday, November 23, 2021 at 02:43:00 PM CST, Björn Persson <bj...@xn--rombobjrn-67a.se> wrote: Ben Beasley wrote: > Please compare with > https://src.fedoraproject.org/rpms/xfontsel/blob/rawhide/f/xfontsel.spec, > paying close attention to the comments in the spec file. SKS keyservers have > gone offline since that package obtained its keyring, so try using > hkps://keys.openpgp.org instead. To elaborate on this, the procedure described in xfontsel.spec finds the key that was used to make the signature, so whoever made the signature becomes the trusted upstream. If you do that *once*, it's a form of trust on first use. It lets you discover future attacks as long as you continue using the same key, assuming that you got the right key to begin with. If you would repeat the key lookup every time you upgrade the package, then you would render the verification meaningless. You'd just be verifying that the tarball was signed by whoever signed the tarball. So don't do that. Björn Persson _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
