Jason L Tibbitts III wrote: > >>>>> "JO" == Joe Orton <jorton@xxxxxxxxxx> writes: > > JO> In the historic CVS-based build system which predated what we now > JO> use, we could do GPG key verification at the time of downloading and > JO> importing a new tarball. > > You're right; tmz dug up a copy of the old Makefile.common file: > https://tmz.fedorapeople.org/tmp/Makefile.common It looks like that searched for and verified signatures when the packager ran "make download". If they downloaded a new tarball with a browser, then it would not be verified automatically. The packager could then download the signature too and run "make download-checks" manually – if they happened to remember and care. Experience shows that most people don't care about security until it's too late, so the verification would often not happen. No one else could know whether the signature had been verified or not. Having that functionality back could be a useful tool, but it would not replace verification during the build, which the packager can't just forget to do once they have added the one-liner to the spec file. Björn Persson
Attachment:
pgpZbGU0qne5g.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
