/*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200:
Dennis Gilmore <dennis@xxxxxxxx> wrote:
Today We rely on you as a packager
verifying the sources, and by uploading them directly you are saying
this is really what I intended to send you and I have ensured that it
is good. You would need to work with release engineering and
infrastucture to come up with some way to sign off on the code being
used.
Like maybe writing a hash of the tarball in the sources file (with some
help from fedpkg perhaps) and checking that in? Then a server in the
Fedora Project infrastructure could fetch the tarball from the Source
URL in the spec and verify that it matches the hash.
I think it should work & it should be easy enough.
Also, instead of 'pulling down from random machines', it'd be enough if
it is not a random machine, but packager's fedorapeople space. It'd be
enough if there is a way to upload sources from there (and possibly
remove them automatically after that).
Having a mirror of upstream SCM or something like it might also work
too. (But some upstreams might not have any (public?) SCM).
Regards,
Hedayat
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
