https://bugzilla.redhat.com/show_bug.cgi?id=1834731 --- Comment #28 from Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> --- (In reply to Oleg Girko from comment #27) > What about those who want to re-build the package from the spec file I would recommend rebuilding from the source RPM package. Rebuilding from only a spec isn't possible in the general case. Many packages have patches, and sometimes there is no working URL to a source. Those will be missing if you try to rebuild from only the spec. > I think, the main PGP public key's checksum should be embedded into spec > file and checked against to make sure all re-downloaded sources are correct. That wouldn't hurt. You would want a GnuPG command – or a series of commands – to verify that the given keyring contains a key with the given fingerprint, and also that it doesn't contain any other keys. Can you propose such a command? Don't forget to ensure that GnuPG will look only in the specified keyring even if the user has a default keyring. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
