On Fri, Jun 25, 2021 at 10:43:17AM -0400, Neal Gompa wrote: > On Fri, Jun 25, 2021 at 9:04 AM Frédéric Pierret > <frederic.pierret@xxxxxxxxxxxx> wrote: > > > > > > > > Le 6/25/21 à 2:51 PM, Neal Gompa a écrit : > > > On Fri, Jun 25, 2021 at 3:43 AM Zbigniew Jędrzejewski-Szmek > > > <zbyszek@xxxxxxxxx> wrote: > > >> > > >> On Fri, Jun 25, 2021 at 03:49:23AM +0000, Dan Čermák wrote: > > >>> > > >>> > > >>> On June 24, 2021 9:22:51 PM UTC, "Miro Hrončok" <mhroncok@xxxxxxxxxx> wrote: > > >>>> On 24. 06. 21 23:07, Miroslav Suchý wrote: > > >>>>> Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a): > > >>>>>>> One thing to consider is that the upstream tarballs might be > > >>>> cryptographically > > >>>>>>> signed and packages should verify the signature in %prep. > > >>>>>> This is a very good point - in such a case, we should always pull > > >>>> the > > >>>>>> official upstream tarball instead of generating a new one downstream > > >>>>> > > >>>>> Does it matter? If you are able to generate byte2byte identical > > >>>> tarball then > > >>>>> you can choose any of them. > > >>>> > > >>>> AFAIK git does not grantee to produce byte2byte identical archives > > >>>> across > > >>>> different versions of git, zlib, gzip etc. So even if upstream signs > > >>>> the git > > >>>> generated archive, generating a byte2byte identical one might be > > >>>> tricky. > > >>> > > >>> Especially with xz, which iirc has reproducibility issues in parallel mode. > > >> > > >> I think we should try to push upstream to sign git tags, instead or in > > >> addition to tarballs. For upstreams, this is actually much easier > > >> (just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing > > >> a tarball on github which requires some interaction with the web service. > > >> > > > > > > As an upstream, I would literally *never* GPG sign git tags. If you > > > ask me to do that, I won't. It's far too annoying to deal with for me > > > to be willing to suffer through that. > > > > > > I'm not going to ask people to do something I would be unwilling to do myself. > > > > What about only version tags? You could do some git/bash alias to create commit version + signed tag at once. For example, we do that on Qubes OS and that's not more work that just committing the version. > > > > The problem is that the workflow for tag signatures sucks for Git. And > I'd need to get it registered in the forges or whatever systems are > used to consume and verify signatures. That's Herculean in a way that > I'm unwilling to deal with. I guess I'm missing something. What is hard about doing signed tags? Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
