El mar, 26-09-2017 a las 01:49 +0330, Hedayat Vatankhah escribió: > /*Pierre-yves Chibon*/ wrote on Mon, 25 Sep 2017 09:38:39 +0200: > > On Sun, Sep 24, 2017 at 10:56:45AM +0330, Hedayat Vatankhah wrote: > > > Dear all, > > > Currently, AFAIK, the suggested method to upload new sources for > > > a package > > > is using 'fedpkg new-sources' which uploads new sources from your > > > local > > > system. I wonder if there is a method to upload new sources from > > > a URL > > > rather than your local filesystem? It is specially useful for > > > large > > > packages. > > > > It's an interesting idea but then it would become quite hard to > > check if there > > is a mitm attack of some sort. With the current process, at least > > the packager > > has the possibility to check the sources locally before uploading > > them into > > Fedora. > > The solution would be to provide the sha + the url and let the down > > be server > > side but that won't save you from downloading the sources locally > > first. > > Yes, but even if I'm forced to download locally, it is much better > than > being forced to upload it again. (Also, note that the current > process > doesn't prevent MITM if it happens when I download the source). > Also, it is easier to schedule the download for a time when it is > cheaper (or free), but it'd be harder to do it for an upload since > it > requires authentication. It does if you go to the effort to fully verify the sources. Which is a task that you are supposed to do. We have always rulled out pulling down the sources from random machines on the internet due to not being able to validate that the sources are correct or as intended. > I wonder where I can fill an RFE for this feature. The current > situation > is a blocker for people like me to maintain any package with large > source/data archives. I saw COPR supports a similar thing, and I > hope > Fedora will support it too. It would take a lot of effort to ensure that what we get is what is intended and can be trusted. Today We rely on you as a packager verifying the sources, and by uploading them directly you are saying this is really what I intended to send you and I have ensured that it is good. You would need to work with release engineering and infrastucture to come up with some way to sign off on the code being used. Given that many times the big tarballs actually only have a small amount of change. using exploded sources or making the copy in dist-git being a mirror of the upstream SCM could work better. maybe we could make a new namespace for the upstream code mirror. then we could make tarballs from a given commit. Dennis _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
