|
Vít Ondruch wrote on Tue, 3 Oct 2017 08:21:57
+0200:
I'd love that, which is what COPR is already doing (AFAIK) when you upload a SPEC. I suggested fedorapeople space if the packager is expected to hand the sources himself.Dne 2.10.2017 v 22:31 Hedayat Vatankhah napsal(a):/*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200:Dennis Gilmore <dennis@xxxxxxxx> wrote:Today We rely on you as a packager verifying the sources, and by uploading them directly you are saying this is really what I intended to send you and I have ensured that it is good. You would need to work with release engineering and infrastucture to come up with some way to sign off on the code being used.Like maybe writing a hash of the tarball in the sources file (with some help from fedpkg perhaps) and checking that in? Then a server in the Fedora Project infrastructure could fetch the tarball from the Source URL in the spec and verify that it matches the hash.I think it should work & it should be easy enough. Also, instead of 'pulling down from random machines', it'd be enough if it is not a random machine, but packager's fedorapeople space. It'd be enough if there is a way to upload sources from there (and possibly remove them automatically after that).If the sources were downloaded from somewhere, then it should be the SourceX URL, nothing else makes sense IMHO. I know that you can create the source archive by yourself for various reasons, but that should be exception, not the rule ... Hedayat Vít _______________________________________________ |
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
