On Thu, Apr 14, 2016 at 04:31:15PM +0200, Christophe Fergeau wrote: > Hi, > > On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote: > > On 04/14/2016 05:12 AM, Christophe Fergeau wrote: > > > This at least allows to make sure that all tarballs are signed with the > > > same GPG key, and that the tarball was not corrupted between the time it > > > was uploaded upstream, and the time the RPM is built. > > > > > > danpb-BE86EBB415104FDF.gpg is generated with: > > > gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import > > > > That file wasn't committed though, was it meant to be? > > I left it out on purpose as it's better if the packager gets the key for > verification using its own channel. If it's in the tarball, then it > could be modified at the same time as the tarball. If someone wants to > directly use the .spec file from the source tarball in order to build > libvirt-glib, this is indeed going to be an issue. I don't think this is > what is commonly done, is it? Yes, it is something we need to support - ie rpmbuild -ta <tarball> should work So in retrospect we need to make this conditional, defaulting to off, and just change it to default to on in fedora / rhel formal builds Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list