On Sat, 2004-12-18 at 02:11 +0100, Enrico Scholz wrote: > How? Signing the data-transfer can not be compared with SRPM signing. In Arch for example, each individual changeset is signed with a GPG signature. What is the threat that SRPM signing solves that Arch changeset signing doesn't? > >> - SRPM give you reproducibility, CVS not > > > > Not true if you can map NVR->CVS tag. > > You do not know if somebody renamed the tag between two checkouts. This is a CVS flaw, to be sure. But moving a tag should never happen; we'd build a bit of intelligence into our tools to double-check this. > >> - SRPM are buildable with system-tools (rpmbuild); for CVS you need lots > >> of prerequisites. > > > > Not necessarily. We could just stick the necessary scripts in the > > common/ dir or whatever. Or just include the necessary tools in an > > updated rpmbuild. > > You will still need online-access. No, you don't. You do a CVS checkout, and then build on your local machine. How is that different from SRPM?
