On Thu, Mar 24, 2016 at 10:28:45AM +0100, Björn Persson wrote: > David Woodhouse wrote: > > Our packaging guidelines really ought to mandate that *if* upstream > > publishes GPG or PKCS#7/CMS signatures of source tarballs, then the > > package *must* verify those signatures as part of %prep. > > I just thought of something that shouldn't be forgotten: How would this > affect the bootstrapping of a new architecture? > > In https://fedoraproject.org/wiki/Architectures/AArch64/Bootstrap the > gnupg2 package is listed in stage 3, where builds were done with > RPMbuild. Bash (just to pick an example) is also listed in stage 3. Bash > tarballs are signed, so verification would be required in bash.spec. > This would move GPG and its dependencies to stage 2, stuff that must be > built before RPMbuild can be used. > > Is that acceptable? Should there be something that disables the > verification during bootstrapping? Put a link gpg → true in $PATH for the duration of stages 1-2? Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
