Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this?
Per the guidelines:
Where the upstream project publishes OpenPGP signatures
of their releases, Fedora packages SHOULD verify that
signature as part of the RPM build process.
If upstream doesn't provide a signature for their releases,
then there isn't anything to verify.
The guideline is also a SHOULD not a MUST, so it's not a
blocker to lack signature verification (though I'd argue it
should be a very strong SHOULD, if not a MUST. ;)
It might be worth asking the upstream maintainer if they
would consider signing the release tarballs.
I have to guess that you're looking to use slim-fork, rather
than the original slim? The latter hasn't seen any changes
since 2013¹, while the former has been updated recently to
1.4.0² (as far as I can tell with some quick searching).
¹ https://github.com/iwamatsu/slim/tags
² https://sourceforge.net/projects/slim-fork/files/
--
Todd
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
