Re: providing gpg verification for a package without signature
To answer my own question, by the trial-and-error method, it seems that the current default needs to be taken out from the conf file. On Sunday, February 26, 2023 at 02:48:52 PM CST, Globe Trotter via devel wrote: Sorry, I had a question on the xserver_arguments in the slim.conf file. The old (1.3.6) file had xserver_arguments commented out, but the new (1.4.0) file replaces it with xserver_arguments -nolisten tcp -deferglyphs 16 The default zserver is still the same: default_xserver /usr/bin/X Should the xserver_arguments be modified/removed in a patch? Or left as is? Thanks! On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to
Re: providing gpg verification for a package without signature
Sorry, I had a question on the xserver_arguments in the slim.conf file. The old (1.3.6) file had xserver_arguments commented out, but the new (1.4.0) file replaces it with xserver_arguments -nolisten tcp -deferglyphs 16 The default zserver is still the same: default_xserver /usr/bin/X Should the xserver_arguments be modified/removed in a patch? Or left as is? Thanks! On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: providing gpg verification for a package without signature
Sorry, forgot to add: I will ask the slim-fork maintainer if he will sign the release tarballs. On Sunday, February 26, 2023 at 10:51:14 AM CST, Globe Trotter via devel wrote: Todd, I only became aware of this fork yesterday, and have packaged it and put it on bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173236 Hopefully, someone who can will review and approve it. Someone did review it, but is not eligible to approve. Thanks! On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: providing gpg verification for a package without signature
Todd, I only became aware of this fork yesterday, and have packaged it and put it on bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173236 Hopefully, someone who can will review and approve it. Someone did review it, but is not eligible to approve. Thanks! On Sunday, February 26, 2023 at 10:44:38 AM CST, Todd Zullinger wrote: Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: providing gpg verification for a package without signature
Hi, Globe Trotter via devel wrote: > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? Per the guidelines: Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process. If upstream doesn't provide a signature for their releases, then there isn't anything to verify. The guideline is also a SHOULD not a MUST, so it's not a blocker to lack signature verification (though I'd argue it should be a very strong SHOULD, if not a MUST. ;) It might be worth asking the upstream maintainer if they would consider signing the release tarballs. I have to guess that you're looking to use slim-fork, rather than the original slim? The latter hasn't seen any changes since 2013¹, while the former has been updated recently to 1.4.0² (as far as I can tell with some quick searching). ¹ https://github.com/iwamatsu/slim/tags ² https://sourceforge.net/projects/slim-fork/files/ -- Todd signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: providing gpg verification for a package without signature
Thanks, so it appears that no GPG verification is needed in this case, then. I thought it was needed for everything. Thanks again for the clarification! On Sunday, February 26, 2023 at 10:29:30 AM CST, Ben Beasley wrote: “Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process.” Most upstreams don’t sign their releases this way, so most Fedora packages don’t need to worry about it. If upstream did provide signatures, they would be published alongside the source archives. > On Feb 26, 2023, at 11:02 AM, Globe Trotter via devel > wrote: > > Hello, > > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? > > Thanks! > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: providing gpg verification for a package without signature
“Where the upstream project publishes OpenPGP signatures of their releases, Fedora packages SHOULD verify that signature as part of the RPM build process.” Most upstreams don’t sign their releases this way, so most Fedora packages don’t need to worry about it. If upstream did provide signatures, they would be published alongside the source archives. > On Feb 26, 2023, at 11:02 AM, Globe Trotter via devel > wrote: > > Hello, > > I have been trying to package slim again. The package does not come with a > signature or a gpg key. > > From > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > I don't see an option of what to do if there is no signature provided. > > Any suggestions or pointers to where I can get guidance on this? > > Thanks! > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
providing gpg verification for a package without signature
Hello, I have been trying to package slim again. The package does not come with a signature or a gpg key. From https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification I don't see an option of what to do if there is no signature provided. Any suggestions or pointers to where I can get guidance on this? Thanks! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue