On Wed, Mar 30, 2016 at 07:01:53AM +0100, James Hogarth wrote: > And of course with the packager uploading both the key and the archive to > git with no net access in koji to verify the key I really don't see what > this actually gives us The signature and key can be verified by anyone. The signature key usually changes only rarely, and dist-git history is immutable, so you easily can check that the key is the same one that has been used to signed previous releases by looking at git history, which is already useful by itself. By expending a bit more effort, you can do a verification of the key once in some side channel (e.g. using the network or some local web-of-trust), and then only check that this key hasn't changed in dist-git. If the key ever changes, this is a reason for suspicion and a careful check. > beyond a heads up to a sleeper maintainer that he > doesn't have an official tarball when built locally... I don't think you can discount this. Most maintainers don't check the tarballs they download if they build fine, afaik. Checking the signatures in %prep would force a significant change to how we build srpms. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
