Joe Orton wrote: > On Wed, Jul 24, 2019 at 11:15:26PM +0200, Igor Gnatenko wrote: > > Hello, > > > > we've got new section in Packaging Guidelines about verifying upstream > > sources[0] with GPG. Please use it whenever possible :) > > > > Thanks! > > > > > > [0] > > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > > > > It seems completely daft doing this at build time. > > In the historic CVS-based build system which predated what we now use, > we could do GPG key verification at the time of downloading and > importing a new tarball. This makes FAR more sense to me than checking > the signature on the same tarball every build. > > We'd put the set of trusted GPG keys in the repository alongside the > spec file, using some standard filename, and the build system would try > check the .asc against the keys when downloading (or uploading? I can't > remember) a new tarball. This would ensure the tarball uploaded to the > lookaside cache was trusted.
If you can implement that in such a way that the packager can't neglect to verify the signature, then that might also work for Fedora's needs. You'll have to think hard about how the code will know which source file to verify against which signature in all possible situations. Björn Persson
pgpML4B5QmuCm.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
