Petr Pisar wrote: > On 2019-07-24, Igor Gnatenko <ignatenkobr...@fedoraproject.org> wrote: > > we've got new section in Packaging Guidelines about verifying upstream > > sources[0] with GPG. Please use it whenever possible :) > [...] > > [0] > > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > > > > May I know a FPC ticket where this change was discussed and approved?
https://pagure.io/packaging-committee/issue/610 > (1) I don't agree this feature is helpful. If we don't trust ./sources > file content in dist-git, we cannot trust keyring stored in the the same > dist-git repository. In other words it only brings another code into > spec files and build process that consumes resources and can fail. This objection is answered in the policy itself: “Although a checksum in the sources file certifies that a file retreived from the lookaside cache is the one that the packager uploaded, it is silent on whether the file is what the upstream project released. A signature by the upstream developers certifies that the source is identical to what they released. Verifying the signature as part of the build ensures that packagers don’t forget to verify it.” > (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' > --data='%{SOURCE0}'" command awfully verbose. The syntax is designed to be easy to remember and self-explanatory to the reader. > "%{gpgverify}" defaulting > to "%{gpgverify 2 1 0}" for single-source packages would provide the > same functionality with less boiler-plate code. Everyone who reads that would have to already know that the numbers are source file numbers. Otherwise they won't understand what “2 1 0” means. Packagers who are supposed to write it would have to look up the order of the parameters every time. Named parameters can be given in any order. An RPM spec is not a place for golfing. Readable code takes priority over saving keystrokes. > Actually augmenting > %setup macro that would perform the check automatically while user would > only build-require gnupg2 would be the best option. As you can see in the ticket, there was an attempt to make it fully automatic, which was abandoned. > (3) Recommended way of verifying uncompressed sources means double > decompression. Decompressing, verifying, and unpacking uncompressed > archive would be more processor friendly. This is technically true, and doing that obviously works, though it takes more of what you called “boiler-plate code”. In practice, I doubt many upstream projects sign their code that way. It's a bad idea because it unnecessarily exposes the decompression program to untrusted input. > (4) Verification of modified archives conflicts with a legal requirement > that Fedora cannot distribute the unmodified archive. If what you package is not what upstream released, then obviously you can't verify it against upstream's signature. If you must remove something for legal reasons, and you still want to verify the tarball, then you can sign your modified tarball with your own key. Björn Persson
pgpUvJ_dYrLQI.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
