Dennis Gilmore <dennis@xxxxxxxx> wrote: > Today We rely on you as a packager > verifying the sources, and by uploading them directly you are saying > this is really what I intended to send you and I have ensured that it > is good. You would need to work with release engineering and > infrastucture to come up with some way to sign off on the code being > used. Like maybe writing a hash of the tarball in the sources file (with some help from fedpkg perhaps) and checking that in? Then a server in the Fedora Project infrastructure could fetch the tarball from the Source URL in the spec and verify that it matches the hash. Björn Persson
Attachment:
pgpHXovxJ385U.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
