Thanks to all respondents - an interesting discussion. I think I'm now
equipped to respond to upstream.
Bob
On Wed, 30 Nov 2022 at 08:15, Björn Persson wrote:
> Vitaly Zaitsev via devel wrote:
> > On 29/11/2022 17:33, Todd Zullinger wrote:
> > > One of reasons being that it's (at least
Vitaly Zaitsev via devel wrote:
> On 29/11/2022 17:33, Todd Zullinger wrote:
> > One of reasons being that it's (at least slightly) easier to
> > notice a change to the public key / keyring when it's in
> > dist-git versus the lookaside cache
>
> It depends on public key format. Armored (ASCII
On 29/11/2022 20:57, Neal Gompa wrote:
If they're ASCII armored format, then store them in Git, by all means.
Yep. The example[1] stores the keys in binary format. Missing --armor
option.
[1]: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_exceptions
--
Sincerely,
Vitaly
On Tue, Nov 29, 2022 at 2:50 PM Vitaly Zaitsev via devel
wrote:
>
> On 29/11/2022 17:33, Todd Zullinger wrote:
> > One of reasons being that it's (at least slightly) easier to
> > notice a change to the public key / keyring when it's in
> > dist-git versus the lookaside cache
>
> It depends on
On Tue, Nov 29, 2022, at 3:24 AM, Bob Hepple wrote:
> Here's a question from one of my upstream devels. Not sure I understand
> exactly what he's asking but I thought I'd post here in the hope that
> someone can enlighten him (and me!).
>
> "... Arch supports signed git tags. I'm hoping Fedora
On 29/11/2022 17:33, Todd Zullinger wrote:
One of reasons being that it's (at least slightly) easier to
notice a change to the public key / keyring when it's in
dist-git versus the lookaside cache
It depends on public key format. Armored (ASCII format) vs. binary keys.
Storing binaries in Git
Vitaly Zaitsev via devel wrote:
> On 29/11/2022 09:24, Bob Hepple wrote:
>> "... Arch supports signed git tags. I'm hoping Fedora does too.
>
> On Fedora you must upload source tarball, its signature and public key to
> the Fedora look-aside cache
A minor expansion on that; the public key /
On Tue, Nov 29, 2022 at 3:24 AM Bob Hepple wrote:
>
> Here's a question from one of my upstream devels. Not sure I understand
> exactly what he's asking but I thought I'd post here in the hope that someone
> can enlighten him (and me!).
>
> "... Arch supports signed git tags. I'm hoping Fedora
On Tue, 29 Nov 2022 at 07:29, Björn Persson wrote:
>
> As to why the builders lack Internet access, I wasn't around when that
> was decided but it helps ensure that the source RPM packages actually
> contain the source code.
>
>
During the early days of packaging, there were a set of packages
Bob Hepple wrote:
> If we _do_ support "signed git tags" how do we code for it in the spec
> file?
As the builders lack Internet access, they can't pull directly from the
upstream Git repository. To verify a signed Git tag during the build,
it would be necessary to package up the whole Git
Adding to what Vitaly has said:
The other question is where you get those signatures from. If upstream does not
sign tarballs any more then there is nothing to check, sadly.
In a source-git based workflow, or if you roll your own using rpkg or such, you
have the upstream source available so
On 29/11/2022 09:24, Bob Hepple wrote:
"... Arch supports signed git tags. I'm hoping Fedora does too.
On Fedora you must upload source tarball, its signature and public key
to the Fedora look-aside cache, because builders have no network access
for security reasons.
--
Sincerely,
Vitaly
Here's a question from one of my upstream devels. Not sure I understand
exactly what he's asking but I thought I'd post here in the hope that
someone can enlighten him (and me!).
"... Arch supports signed git tags. I'm hoping Fedora does too.
I'm thinking of dropping this cumbersome process
13 matches
Mail list logo
