Re: [Fedora-packaging] Re: HEADS UP: Source File Verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "JO" == Joe Orton <jorton@xxxxxxxxxx> writes:

JO> In the historic CVS-based build system which predated what we now
JO> use, we could do GPG key verification at the time of downloading and
JO> importing a new tarball.

You're right; tmz dug up a copy of the old Makefile.common file:
https://tmz.fedorapeople.org/tmp/Makefile.common

I believe this is simply functionality that wasn't duplicated into
fedpkg (or rpkg or whatever) when we stopped using Makefiles.  It would
certainly be useful to have it implemented and is worth someone opening
a ticket.

And in any case, it's still perfectly valid to check signatures at
package %prep time.  Imagine I'm building from an srpm that I've
unpacked, or have grabbed the spec and run spectool -g.  Why not have
the specfile check the signatures at that point?  Doing it there doesn't
preclude doing it at some other step as well, and it's not as if this is
all that computationally expensive these days.

 - J<
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux