https://bugzilla.redhat.com/show_bug.cgi?id=1272235 --- Comment #3 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> --- (In reply to Miroslav Suchý from comment #2) > > I think it is very useful and increases security of various cross-distro > > installation. I wonder though whether not to remove Fedora and EPEL keys > > from this, since they will be included in fedora-repos, or maybe to add a > > check to make sure that they are identical in both packages. > > bug 1246701 speaks just about old fedora keys, not about epel IIRC. Oh, right, fedora-repos is only about Fedora repos and keys. > > Regarding packaging: > > - why not use a github tarball directly? It's much nicer than to force a git > > clone and additional steps. > > Because github tarball checksum was not stable in past (not sure if this > changed recently). Also the URL is changing nearly each year. At least the > URL we should use as suggested by Fedora Guidelines. > And I do not use or create tar.gz at all. I just wrote > tito --srpm > and it will craft (binary identical) tar.gz for me. The tarballs are stable, and are actually recommended by the guidelines. https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review