On Thu, Jul 25, 2019 at 06:46:24AM -0000, Petr Pisar wrote: > On 2019-07-24, Igor Gnatenko <ignatenkobrain@xxxxxxxxxxxxxxxxx> wrote: > > we've got new section in Packaging Guidelines about verifying upstream > > sources[0] with GPG. Please use it whenever possible :) > [...] > > [0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification > > (2) The "%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' > --data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}" I'm more worried about it relying on GPG at the moment considering the state of the SKS network [1]. What are the changes that we end up breaking a build if we suddenly get a poisoned key? Are we going to break just a build or could this have more annoying consequences? Best, Pierre [1] "SKS Keyserver Network Under Attack" by Robert J. Hansen: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
