On Tue, 2011-07-05 at 11:13 +0200, Nils Philippsen wrote: > On Mon, 2011-07-04 at 23:27 -0500, Michael Cronenworth wrote: > > On 07/04/2011 10:53 PM, Paul Wouters wrote: > > > It would be nice if we could upload/commit the .asc or .sig file, and have the rpmbuild script > > > automatically check the tar ball. > > > > Hm, yes. It would be nice to see Koji support checking source sigs. OBS > > already does so. Seeing as Debian has done this for years with the > > source .deb including a signature file, RPM >4.9 could support sigs for > > the Source0 file. > > Making Source0 a special case sounds rather dirty to me, if at all such > functionality should be available for all source files (and patches > eventually). > > Furthermore, just having a signature file doesn't help a bit if you > can't be sure who created the signature... and I suspect if we were to > restrict ourselves to upstream packages that a) have gpg signatures b) > from keypairs not more than a certain "distance" (web-of-trust-wise) > away from a known good keypair, we'd be able to trim down the package > repositories substantially ;-). So for the time being I guess we should > stick with letting package maintainers check this (of there is anything > to check). I didn't see any suggestion that packages be *required* to have a signature, only that we somehow run an automated check on one if there is one. Rather than making specific Source numbers special case, why not just go on naming? The convention for signatures is to add an extension to the name of the tarball the signature is for; that shouldn't be too hard to implement, I don't think. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
