On Tue, 2011-07-05 at 17:11 -0500, Michael Cronenworth wrote: > On 07/05/2011 11:59 AM, Adam Williamson wrote: > > That sounds like an excellent idea for a contribution! Remember, the > > AutoQA project is explicitly designed to allow and indeed encourage > > tests to be contributed - we would love it if the core AutoQA team > > worked mostly on the framework, and tests were contributed by many > > people. Seehttps://fedoraproject.org/wiki/Writing_AutoQA_Tests . > > There's a few cavets that have been mentioned in this thread that would > make this functionality mostly pointless to try and implement. > > 1) Not all packages include gpg signatures. > a) not everyone knows they can include them > b) SCM checkouts don't have signatures > c) some projects don't use them > 2) We don't have a system to validate a gpg signature in place. My > understanding of GPG is that we would need to house all the public keys > to validate against. Nothing like this exists. I'm lazy and don't feel > like creating such a system. :) > > We're stuck with the lookaside cache checksum for now. 1) doesn't really matter. So we get some assurance for some packages, not all; it's still better than none. Don't make the perfect the enemy of the good. 2) ditto - we can 'house' them in so far as including them as package sources. If they aren't included then don't run the check. If they are, run the check... -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
