On Sun, Aug 25, 2024 at 8:36 AM Frank R Dana Jr. <ferd...@gmail.com> wrote: > > Also, a yea/nay on whether I've correctly understood this point: > > > So, does that mean that remote keyrings should be listed at their source > > URL, > > BUT the `gpgkey-` file at that URL should be manually downloaded and > > `git add`-ed to the package repo? > > ...would be a help. Before I go and attempt to make something explicit in the > Guidelines based on my low-confidence interpretation, it feels prudent to > first confirm that it's not a MIS-interpretation on my part. > --
As I read the guidelines, the source, and the .sig file should be in the lookaside cache (and in the "sources" file), and the keyring that include those authorized to release should be stored in the SCM (next to all the other files such as ..spec) so, git add'ed. The keyring name (in the SourceNN: line) may end up being a full upstream URL if upstream publishes it that way, or a "bare" name if the keyring needed to be locally created (as noted in the exceptions part of those docs). As you noted, there is the easy case, and then there are the exceptions. Perhaps a few additional examples in the exceptions part would help (perhaps a reference as to how to use gpg to retrieve multiple keys for a project and export into a usable keyring, for those that have not been using gpg (and the various predecessors) for decades). I am unclear if that would be best inline in the packaging doc itself, or just a reference to another doc. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
