BTW, there is this proposal: https://github.com/rpm-software-management/rpm/issues/463 Vít Dne 25. 07. 19 v 11:17 Joe Orton napsal(a): > On Wed, Jul 24, 2019 at 11:15:26PM +0200, Igor Gnatenko wrote: >> Hello, >> >> we've got new section in Packaging Guidelines about verifying upstream >> sources[0] with GPG. Please use it whenever possible :) >> >> Thanks! >> >> >> [0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > It seems completely daft doing this at build time. > > In the historic CVS-based build system which predated what we now use, > we could do GPG key verification at the time of downloading and > importing a new tarball. This makes FAR more sense to me than checking > the signature on the same tarball every build. > > We'd put the set of trusted GPG keys in the repository alongside the > spec file, using some standard filename, and the build system would try > check the .asc against the keys when downloading (or uploading? I can't > remember) a new tarball. This would ensure the tarball uploaded to the > lookaside cache was trusted. > > Regards, Joe > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
