On Tue, Mar 22, 2016 at 06:01:28PM +0100, Björn Persson wrote: > David Woodhouse wrote: > > Our packaging guidelines really ought to mandate that *if* upstream > > publishes GPG or PKCS#7/CMS signatures of source tarballs, then the > > package *must* verify those signatures as part of %prep. > > I suppose the point of this would be that others can see that the > verification has been done, right?
It also makes it easier with (co)maintainers to establish a trust-on-first-use signature verification model. For example I added the GPG key for youtube-dl to the spec file and the co-maintainer or current maintainer just needs to update the tarball and the signature to be sure that only a trusted tarball will be used. Also it allows to easily verify the tarball using fedpkg prep or fedpkg local. I guess it might even make the new hotness do scratch builds with verified tarballs, since iirc it updates both the tarball and the signature and then %prep makes sure that they are verified. Kind regards Till -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
