/*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200:
On Sun, Sep 24, 2017 at 10:56:45AM +0330, Hedayat Vatankhah wrote:
Dear all,
Currently, AFAIK, the suggested method to upload new sources for a package
is using 'fedpkg new-sources' which uploads new sources from your local
system. I wonder if there is a method to upload new sources from a URL
rather than your local filesystem? It is specially useful for large
packages.
It's an interesting idea but then it would become quite hard to check if there
is a mitm attack of some sort. With the current process, at least the packager
has the possibility to check the sources locally before uploading them into
Fedora.
The solution would be to provide the sha + the url and let the down be server
side but that won't save you from downloading the sources locally first.
Yes, but even if I'm forced to download locally, it is much better than
being forced to upload it again. (Also, note that the current process
doesn't prevent MITM if it happens when I download the source).
Also, it is easier to schedule the download for a time when it is
cheaper (or free), but it'd be harder to do it for an upload since it
requires authentication.
I wonder where I can fill an RFE for this feature. The current situation
is a blocker for people like me to maintain any package with large
source/data archives. I saw COPR supports a similar thing, and I hope
Fedora will support it too.
Regards,
Hedayat
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
