On Thu, Jul 25, 2019 at 06:46:24AM -0000, Petr Pisar wrote: > On 2019-07-24, Igor Gnatenko <ignatenkobr...@fedoraproject.org> wrote: > > we've got new section in Packaging Guidelines about verifying upstream > > sources[0] with GPG. Please use it whenever possible :) > [...] > > [0] > > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > > (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' > --data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}"
I'm more worried about it relying on GPG at the moment considering the state of the SKS network [1]. What are the changes that we end up breaking a build if we suddenly get a poisoned key? Are we going to break just a build or could this have more annoying consequences? Best, Pierre [1] "SKS Keyserver Network Under Attack" by Robert J. Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org