James Hogarth wrote: > We trust our packagers to do a lot, we can trust them to add this to their > packages if it helps them and for them to encourage it in their reviews if > they find a signed archive provided upstream.
IMHO, this is the main point. Checking signatures automatically in %prep only makes sense if you are sure you're using the correct public key. So the packager, who is supposed to work closely with upstream, MUST make sure that he has the correct public key form first-hand knowledge before he can include it in the spec file as %(SourceN) for %prep. This is as important as checking the source code for licensing files and it would be much more than the average Joe would do if he'd gonna check the source himself. Sometimes the packager and upstream is even the same, so making sure the right public key is being used will be quite easy. Having said the above, I also advocate a SHOULD instead of a MUST in the guidelines as providing a signature with the source tarball is voluntary for upstream and should be viewed as an additional means to maintain the integrity of the code that should be honoured in the spec file. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
