On 07/05/2011 03:46 AM, Michael Schwendt wrote: > Some packagers do upload the detached sig and add it to the spec > as another Source file URL. Great! Except I haven't done so. I wasn't required to submit a signature for my package nor does the Package Guildline pages refer to doing so. Might be worth someone's time to mention it on the wiki (who knows about this functionality). > The uploaded tarball checksum enters the "sources" file in git, and any > tarball downloaded from the lookaside cache MUST match that checksum. > Else it wouldn't be downloaded and used. Source RPM build in koji would > fail. This is just a checksum against the tarball that enters the lookaside cache. Yes, I know about this. A malicious package could have been uploaded to the lookaside cache, however. This leads to demanding everyone have signatures available, but what do you do about SVN/Git checkouts or projects that don't wish to provide signatures? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
