Dne 25. 07. 19 v 8:46 Petr Pisar napsal(a): > On 2019-07-24, Igor Gnatenko <ignatenkobrain@xxxxxxxxxxxxxxxxx> wrote: >> we've got new section in Packaging Guidelines about verifying upstream >> sources[0] with GPG. Please use it whenever possible :) > [...] >> [0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > May I know a FPC ticket where this change was discussed and approved? > > I have few objections: > > (1) I don't agree this feature is helpful. If we don't trust ./sources > file content in dist-git, we cannot trust keyring stored in the the same > dist-git repository. In other words it only brings another code into > spec files and build process that consumes resources and can fail. I had the same objections: https://pagure.io/packaging-committee/issue/610#comment-144451 https://pagure.io/packaging-committee/issue/610#comment-535982 Vít > (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' > --data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}" defaulting > to "%{gpgverify 2 1 0}" for single-source packages would provide the > same functionality with less boiler-plate code. Actually augmenting > %setup macro that would perform the check automatically while user would > only build-require gnupg2 would be the best option. > > (3) Recommended way of verifying uncompressed sources means double > decompression. Decompressing, verifying, and unpacking uncompressed > archive would be more processor friendly. > > (4) Verification of modified archives conflicts with a legal requirement > that Fedora cannot distribute the unmodified archive. > > -- Petr > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
