On Wed, Mar 30, 2016 at 02:44:44PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Wed, Mar 30, 2016 at 02:26:59PM -0000, Ralf Senderek wrote: > [snip the part I complete agree with] > > > Having said the above, I also advocate a SHOULD instead of a MUST in > > the guidelines as providing a signature with the source tarball is > > voluntary for upstream and should be viewed as an additional means > > to maintain the integrity of the code that should be honoured in the > > spec file. > What the upstream does is something that we cannot control, and we can > only encourage the upstream to DTRT. > > In fact signatures and license files are quite similar: > our guidelines say that the license file MUST be installed if provided > by upstream, and packagers SHOULD ask upstream to provide it if it is > missing [1]. I think we should follow this pattern for signatures. > > There will always be exceptions to the "MUST check if signed" rule: > repacking the tarball is an obvious one. The guidelines should > acknowledge this. > > Zbyszek [1] https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
