On Tue, 2016-03-22 at 18:01 +0100, Björn Persson wrote: > Because technically, verifying a tarball that the packager uploaded, > with a signature that the packager uploaded, against a key that the > packager uploaded, that doesn't really add anything compared to the > packager verifying the signature before they upload the tarball.
... every time. You're right, it doesn't really add anything. But it's free, and it's a belt-and-braces system. Whatever might corrupt a tarball between the original download and the RPM build, the check in %prep would catch it. Assuming the signing key isn't *also* compromised, of course. But there's a fairly large class of problems that *would* be caught. For almost no effort. -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org