https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #27 from Oleg Girko <ol+redhat@xxxxxxxxxxxxx> --- (In reply to Björn Persson from comment #26) > (In reply to marco from comment #25) > > Source12 simply downloads the key from > > https://bitcoin.org/laanwj-releases.asc without checking the hash or > > fingerprint, so there is no way to detect changes. What am I missing? > > You're missing the fact that RPMbuild doesn't download anything and the Koji > builders are isolated from Internet access. All sources and patches are > taken from the Fedora Project's Git repository and lookaside cache, and > change only when a package maintainer uploads a new file. Our source file > verification policy says that the keyring shall be committed to Git: > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > #_source_file_verification > > The URL is there to document where the keyring came from, so that anyone can > download it and verify that it's identical to the one in Git. This looks too dependent on Fedora infrastructure. What about those who want to re-build the package from the spec file on their computer (and download all necessary sources using spectool)? What about those who want to re-build the package using OBS and download_files source service? I think, the main PGP public key's checksum should be embedded into spec file and checked against to make sure all re-downloaded sources are correct. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
