Michael, you make a very good point at https://blogs.gnome.org/mcatanzaro/2016/03/13/do-you-trust-this-package/
Our packaging guidelines really ought to mandate that *if* upstream publishes GPG or PKCS#7/CMS signatures of source tarballs, then the package *must* verify those signatures as part of %prep. Do you want to put a draft together for approval by the packaging committee? It might be nice to provide some RPM macros to make that easier for packagers. I've had a go at doing this for OpenConnect, in http://pkgs.fedoraproject.org/cgit/rpms/openconnect.git/commit/?id=ca61de3f77 It's a bit pointless there, since the tarballs tend to get uploaded to Fedora from the same workstation I sign them on, sometimes *before* they're uploaded to the FTP site. But it's still good practice, as you rightly point out. -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
