On Tue, 2016-03-22 at 18:01 +0100, Björn Persson wrote: > Because technically, verifying a tarball that the packager uploaded, > with a signature that the packager uploaded, against a key that the > packager uploaded, that doesn't really add anything compared to the > packager verifying the signature before they upload the tarball. ... every time. You're right, it doesn't really add anything. But it's free, and it's a belt-and-braces system. Whatever might corrupt a tarball between the original download and the RPM build, the check in %prep would catch it. Assuming the signing key isn't *also* compromised, of course. But there's a fairly large class of problems that *would* be caught. For almost no effort. -- David Woodhouse Open Source Technology Centre David.Woodhouse@xxxxxxxxx Intel Corporation
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
