https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #26 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- (In reply to marco from comment #25) > Source12 simply downloads the key from > https://bitcoin.org/laanwj-releases.asc without checking the hash or > fingerprint, so there is no way to detect changes. What am I missing? You're missing the fact that RPMbuild doesn't download anything and the Koji builders are isolated from Internet access. All sources and patches are taken from the Fedora Project's Git repository and lookaside cache, and change only when a package maintainer uploads a new file. Our source file verification policy says that the keyring shall be committed to Git: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification The URL is there to document where the keyring came from, so that anyone can download it and verify that it's identical to the one in Git. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
