On 2019-07-24, Igor Gnatenko <ignatenkobrain(a)fedoraproject.org> wrote:
we've got new section in Packaging Guidelines about verifying
upstream
sources[0] with GPG. Please use it whenever possible :)
[...]
May I know a FPC ticket where this change was discussed and approved?
I have few objections:
(1) I don't agree this feature is helpful. If we don't trust ./sources
file content in dist-git, we cannot trust keyring stored in the the same
dist-git repository. In other words it only brings another code into
spec files and build process that consumes resources and can fail.
(2) The "%{gpgverify} --keyring='%{SOURCE2}'
--signature='%{SOURCE1}'
--data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}"
defaulting
to "%{gpgverify 2 1 0}" for single-source packages would provide the
same functionality with less boiler-plate code. Actually augmenting
%setup macro that would perform the check automatically while user would
only build-require gnupg2 would be the best option.
(3) Recommended way of verifying uncompressed sources means double
decompression. Decompressing, verifying, and unpacking uncompressed
archive would be more processor friendly.
(4) Verification of modified archives conflicts with a legal requirement
that Fedora cannot distribute the unmodified archive.
-- Petr