On Fri, Jun 25, 2021 at 9:04 AM Frédéric Pierret <frederic.pier...@qubes-os.org> wrote: > > > > Le 6/25/21 à 2:51 PM, Neal Gompa a écrit : > > On Fri, Jun 25, 2021 at 3:43 AM Zbigniew Jędrzejewski-Szmek > > <zbys...@in.waw.pl> wrote: > >> > >> On Fri, Jun 25, 2021 at 03:49:23AM +0000, Dan Čermák wrote: > >>> > >>> > >>> On June 24, 2021 9:22:51 PM UTC, "Miro Hrončok" <mhron...@redhat.com> > >>> wrote: > >>>> On 24. 06. 21 23:07, Miroslav Suchý wrote: > >>>>> Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a): > >>>>>>> One thing to consider is that the upstream tarballs might be > >>>> cryptographically > >>>>>>> signed and packages should verify the signature in %prep. > >>>>>> This is a very good point - in such a case, we should always pull > >>>> the > >>>>>> official upstream tarball instead of generating a new one downstream > >>>>> > >>>>> Does it matter? If you are able to generate byte2byte identical > >>>> tarball then > >>>>> you can choose any of them. > >>>> > >>>> AFAIK git does not grantee to produce byte2byte identical archives > >>>> across > >>>> different versions of git, zlib, gzip etc. So even if upstream signs > >>>> the git > >>>> generated archive, generating a byte2byte identical one might be > >>>> tricky. > >>> > >>> Especially with xz, which iirc has reproducibility issues in parallel > >>> mode. > >> > >> I think we should try to push upstream to sign git tags, instead or in > >> addition to tarballs. For upstreams, this is actually much easier > >> (just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing > >> a tarball on github which requires some interaction with the web service. > >> > > > > As an upstream, I would literally *never* GPG sign git tags. If you > > ask me to do that, I won't. It's far too annoying to deal with for me > > to be willing to suffer through that. > > > > I'm not going to ask people to do something I would be unwilling to do > > myself. > > What about only version tags? You could do some git/bash alias to create > commit version + signed tag at once. For example, we do that on Qubes OS and > that's not more work that just committing the version. >
The problem is that the workflow for tag signatures sucks for Git. And I'd need to get it registered in the forges or whatever systems are used to consume and verify signatures. That's Herculean in a way that I'm unwilling to deal with. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
