On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote: > On 07/04/2011 10:53 PM, Paul Wouters wrote: > > It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script > > automatically check the tar ball. > > Hm, yes. It would be nice to see Koji support checking source sigs. OBS > already does so. Seeing as Debian has done this for years with the > source .deb including a signature file, RPM >4.9 could support sigs for > the Source0 file. Making Source0 a special case sounds rather dirty to me, if at all such functionality should be available for all source files (and patches eventually). Furthermore, just having a signature file doesn't help a bit if you can't be sure who created the signature... and I suspect if we were to restrict ourselves to upstream packages that a) have gpg signatures b) from keypairs not more than a certain "distance" (web-of-trust-wise) away from a known good keypair, we'd be able to trim down the package repositories substantially ;-). So for the time being I guess we should stick with letting package maintainers check this (of there is anything to check). Nils -- Nils Philippsen "Those who would give up Essential Liberty to purchase Red Hat a little Temporary Safety, deserve neither Liberty nils@xxxxxxxxxx nor Safety." -- Benjamin Franklin, 1759 PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
