On Mon, 2016-03-21 at 10:25 +0000, David Woodhouse wrote: > Michael, you make a very good point at > https://blogs.gnome.org/mcatanzaro/2016/03/13/do-you-trust-this-packa > ge/ > > Our packaging guidelines really ought to mandate that *if* upstream > publishes GPG or PKCS#7/CMS signatures of source tarballs, then the > package *must* verify those signatures as part of %prep. Hi, I agree this is a good idea. I actually did not consider that we could handle this in %prep. > Do you want to put a draft together for approval by the packaging > committee? Nope. Maybe somebody else will be interested in working on this. (I have no clue how to use GPG anyway. :) > It might be nice to provide some RPM macros to make that easier for > packagers. I agree. > I've had a go at doing this for OpenConnect, in > http://pkgs.fedoraproject.org/cgit/rpms/openconnect.git/commit/?id=ca > 61de3f77 > > It's a bit pointless there, since the tarballs tend to get uploaded > to > Fedora from the same workstation I sign them on, sometimes *before* > they're uploaded to the FTP site. But it's still good practice, as > you > rightly point out. Thanks, Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
