Samuel Sieb wrote:
On 07/12/2017 05:44 AM, Bastien Nocera wrote:
> "developers not having to learn GPG to sign their *Flatpak* releases"
>
> I really don't understand how you misinterpreted that sentence so badly,
> individual Fedora developers never had to GPG sign their Fedora
> packages...
That "*Flatpak*" was not in the original sentence and it really confused
me too. I was pretty sure individual maintainers didn't sign the RPMs,
so I wondered why that was a benefit of flatpaks. So now I understand
that the point is that Fedora signs the flatpaks instead of the
developers of the applications.
If I ship third-party packages in a third-party repository on my own
infrastructure (see
repo.calcforge.org), I do have to sign them myself.
The way I understood the sentence was that Flatpaks shipped on third-party
sites don't have to be signed. This is apparently not the case, and what
Bastien really meant is that Koji will take care of the signing for Flatpaks
built in Koji as it does for RPMs built in Koji. But that was not clear from
what he originally wrote.
Kevin Kofler