On Wed, Mar 30, 2016 at 02:26:59PM -0000, Ralf Senderek wrote: [snip the part I complete agree with] > Having said the above, I also advocate a SHOULD instead of a MUST in > the guidelines as providing a signature with the source tarball is > voluntary for upstream and should be viewed as an additional means > to maintain the integrity of the code that should be honoured in the > spec file. What the upstream does is something that we cannot control, and we can only encourage the upstream to DTRT. In fact signatures and license files are quite similar: our guidelines say that the license file MUST be installed if provided by upstream, and packagers SHOULD ask upstream to provide it if it is missing [1]. I think we should follow this pattern for signatures. There will always be exceptions to the "MUST check if signed" rule: repacking the tarball is an obvious one. The guidelines should acknowledge this. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
