On Thu, Jul 25, 2019 at 07:22:56PM +0200, Björn Persson wrote: > Jason L Tibbitts III wrote: > > >>>>> "JO" == Joe Orton <jorton@xxxxxxxxxx> writes: > > > > JO> In the historic CVS-based build system which predated what we now > > JO> use, we could do GPG key verification at the time of downloading and > > JO> importing a new tarball. > > > > You're right; tmz dug up a copy of the old Makefile.common file: > > https://tmz.fedorapeople.org/tmp/Makefile.common > > It looks like that searched for and verified signatures when the > packager ran "make download". If they downloaded a new tarball with a > browser, then it would not be verified automatically. The packager > could then download the signature too and run "make download-checks" > manually – if they happened to remember and care. Experience shows that > most people don't care about security until it's too late, so the > verification would often not happen. No one else could know whether the > signature had been verified or not. > > Having that functionality back could be a useful tool, but it would not > replace verification during the build, which the packager can't just > forget to do once they have added the one-liner to the spec file. If you don't enforce GPG verification at or before "fedpkg upload" there is no assurance that what hits the lookaside cache is trusted, so I agree - doing this at build time is a good example of not caring about security until it's too late. But I assume the FPC is off doing its own thing and will totally ignore community feedback as normal, so I'll feel free to carry on ignoring FPC output and this whole conversation is pointless. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx