David Woodhouse wrote: > Our packaging guidelines really ought to mandate that *if* upstream > publishes GPG or PKCS#7/CMS signatures of source tarballs, then the > package *must* verify those signatures as part of %prep.
I just thought of something that shouldn't be forgotten: How would this affect the bootstrapping of a new architecture? In https://fedoraproject.org/wiki/Architectures/AArch64/Bootstrap the gnupg2 package is listed in stage 3, where builds were done with RPMbuild. Bash (just to pick an example) is also listed in stage 3. Bash tarballs are signed, so verification would be required in bash.spec. This would move GPG and its dependencies to stage 2, stuff that must be built before RPMbuild can be used. Is that acceptable? Should there be something that disables the verification during bootstrapping? Björn Persson
pgpCXn2l7i5IF.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
