James Laska (jlaska@xxxxxxxxxx) said: > On Fri, 2010-04-09 at 08:38 -0400, Bill Davidsen wrote: > > The rpm kernel-2.6.33.1-19.fc13_2.6.33.1-24.fc13.x86_64.drpm downloaded, then it > > looks as if it created an rpm by applying the delta and decided the rpm wasn't > > signed? And there's also an rpm kernel-2.6.33.1-24.fc13.x86_64.rpm, which I > > assume is the rpm created by the delta. > > > > Is this some download error, or is there another problem with unsigned packages > > getting into the repos? I did repeat the download, same CRC... > > Seems worthy to add a package acceptance criteria to the Package Update > Acceptance Criteria [1] similar to the following: > > * Packages must be signed with a valid Fedora GPG signature > > I guess one could argue that the existing criteria "Packages must be > able to install cleanly" would include valid signatures. But it doesn't > hurt to be specific here. > > Comments/concerns/ideas? The process flow is: 1. package is built in koji <any delay from maintainer> 2. update is submitted in bodhi <delay until next push> 3. package is signed <then nearly instantaneously> 4. package is pushed The checks we've added in the criteria so far would almost all be done between 1) and 2), or right after 2). Checking for signature doesn't fit in at the same point in the workflow. That being said, bodhi's supposed to bounce the packages if they aren't signed. Bill -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test