Dne 2.10.2017 v 22:31 Hedayat Vatankhah napsal(a): > > /*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200: >> Dennis Gilmore <dennis@xxxxxxxx> wrote: >>> Today We rely on you as a packager >>> verifying the sources, and by uploading them directly you are saying >>> this is really what I intended to send you and I have ensured that it >>> is good. You would need to work with release engineering and >>> infrastucture to come up with some way to sign off on the code being >>> used. >> Like maybe writing a hash of the tarball in the sources file (with some >> help from fedpkg perhaps) and checking that in? Then a server in the >> Fedora Project infrastructure could fetch the tarball from the Source >> URL in the spec and verify that it matches the hash. > I think it should work & it should be easy enough. > > Also, instead of 'pulling down from random machines', it'd be enough > if it is not a random machine, but packager's fedorapeople space. It'd > be enough if there is a way to upload sources from there (and possibly > remove them automatically after that). If the sources were downloaded from somewhere, then it should be the SourceX URL, nothing else makes sense IMHO. I know that you can create the source archive by yourself for various reasons, but that should be exception, not the rule ... Vít _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
