On 2019-07-24, Igor Gnatenko <ignatenkobrain@xxxxxxxxxxxxxxxxx> wrote: > we've got new section in Packaging Guidelines about verifying upstream > sources[0] with GPG. Please use it whenever possible :) [...] > [0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification May I know a FPC ticket where this change was discussed and approved? I have few objections: (1) I don't agree this feature is helpful. If we don't trust ./sources file content in dist-git, we cannot trust keyring stored in the the same dist-git repository. In other words it only brings another code into spec files and build process that consumes resources and can fail. (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}" defaulting to "%{gpgverify 2 1 0}" for single-source packages would provide the same functionality with less boiler-plate code. Actually augmenting %setup macro that would perform the check automatically while user would only build-require gnupg2 would be the best option. (3) Recommended way of verifying uncompressed sources means double decompression. Decompressing, verifying, and unpacking uncompressed archive would be more processor friendly. (4) Verification of modified archives conflicts with a legal requirement that Fedora cannot distribute the unmodified archive. -- Petr _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
