On Thu, Jul 25, 2019 at 06:46:24AM -0000, Petr Pisar wrote:
On 2019-07-24, Igor Gnatenko <ignatenkobrain(a)fedoraproject.org>
wrote:
> we've got new section in Packaging Guidelines about verifying upstream
> sources[0] with GPG. Please use it whenever possible :)
[...]
> [0]
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_v...
(2) The "%{gpgverify} --keyring='%{SOURCE2}'
--signature='%{SOURCE1}'
--data='%{SOURCE0}'" command awfully verbose. "%{gpgverify}"
I'm more worried about it relying on GPG at the moment considering the state of
the SKS network [1].
What are the changes that we end up breaking a build if we suddenly get a
poisoned key? Are we going to break just a build or could this have more
annoying consequences?
Best,
Pierre
[1] "SKS Keyserver Network Under Attack" by Robert J. Hansen:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f