Joe Orton wrote: > If you don't enforce GPG verification at or before "fedpkg upload" there > is no assurance that what hits the lookaside cache is trusted, so I > agree - doing this at build time is a good example of not caring about > security until it's too late. I hope most people reading this can see the flaws in that reasoning. > But I assume the FPC is off doing its own thing and will totally ignore > community feedback as normal, It took a long time and some prodding, but the fact that the source file verification policy was eventually accepted is proof that this accusation is false. Björn Persson
Attachment:
pgpgHGIWJZrIn.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
