Looks good (although mach is giving me problems again so I can't test all of it.) Some feedback: - A NEEDSWORK review is just as valuable as a PUBLISH +1 review. I'd like to see the script generate that as well. - (Showing my ignorance of mach) How safe is it to build untrusted sources within mach? since mach builds the package before the user gets a chance to go look at whether the Source URL is canonical, I was wondering.... - Review has "Installs, runs, and uninstalls fine on FC1" but I haven't done any of that yet -- should it be in TODO? - The first time I ran it, the script errored out because there was an old version of an md5sum file on the server that didn't have the package version I had up there. However, GPG signed SRPMs are equivalent to checking a GPG signed md5sum file that has an md5sum for the SRPM. So my view is if the GPG signature on the SRPM is good and the MD5SUM file doesn't contradict it (ie: different signing keys, different MD5Sums for the same file) it shouldn't error out. - I'd like to be able to point at an SRPM instead of into bugzilla in case I have an SRPM already on my machine that I'd like to check. -Toshio -- Toshio <toshio@xxxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
