Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: zeroinstall-injector https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=181801 ------- Additional Comments From paul@xxxxxxxxxxxx 2006-02-22 01:57 EST ------- (In reply to comment #4) > I agree on the second point, but about Source0, as I explained, the upstream > source is a signed GPG file. Using the upstream source would require a > BuildRequires on gnupg .. > > The source verification can be done by downloading the GPG-ed tarball from here: > http://sourceforge.net/project/showfiles.php?group_id=76468&package_id=146899&release_id=390954 > > So the options are: > - point Source0 to the .tar.gz.gpg file, BuildReq on gnupg > - Manual verification of the source tarball (take the upstream source, gpg > --decrypt ${file} > newfile, compare md5sums or do a diff) I would advocate the first option; it allows people to do: $ spectool --gf zeroinstall-injector.spec to retrieve the sources directly from upstream. Shouldn't the buildreq be python-devel rather than python? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list