Re: Checking signatures on package source tarballs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 29 Mar 2016 18:08, "Ralf Senderek" <fedora@xxxxxxxxxxx> wrote:
>
> > David Woodhouse wrote:
>
> > If we need to repackage the tarball to remove patent-encumbered or otherwise
> > illegal or non-redistributable files, we cannot do this.
>
> I think , we can. Because the check in %prep should make sure that you've got the real thing.
> It doesn't require that you have to package everything that makes up the source after extraction.

The issue isn't the binary RPM but rather the SRPM which would need to include the signed tarball (and the lookaside cache for the sources of course) so that %prep works in koji.

It's fine as an optional thing but wouldn't work as mandatory one.

And of course with the packager uploading both the key and the archive to git with no net access in koji to verify the key I really don't see what this actually gives us beyond a heads up to a sleeper maintainer that he doesn't have an official tarball when built locally...

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux