On 2019-07-25, Björn Persson <Bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > Verifying the signature as part of the build ensures that packagers > don't forget to verify it. > Then it's a job for "fedpkg new-sources" or spectool, not for rpmbuild. >> (4) Verification of modified archives conflicts with a legal requirement >> that Fedora cannot distribute the unmodified archive. > > If what you package is not what upstream released, then obviously you > can't verify it against upstream's signature. If you must remove > something for legal reasons, and you still want to verify the tarball, > then you can sign your modified tarball with your own key. > I misread the guidelines at this point. It requires verification in the code that modifies the original archive. -- Petr _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
