On Fri, May 8, 2020 at 4:25 PM Fabio Valentini
<decathorpe(a)gmail.com> wrote:
>
> On Fri, May 8, 2020 at 9:55 PM Zbigniew Jędrzejewski-Szmek
> <zbyszek(a)in.waw.pl> wrote:
> >
> > On Fri, May 08, 2020 at 03:12:15PM -0400, David Cantrell wrote:
> > > WHAT I WANT TO BE ABLE TO DO:
> > >
> > > * View Fedora's dist-git repos as authoritative for packages built for
> > > Fedora. That is, I want to see a package on my Fedora system and be able
to
> > > visit its dist-git repo to see how it's packaged.
> >
> > Well said.
> >
> > > * Make the lookaside cache optional. For SourceX lines, I want to be able
to
> > > specify a git URL to a specific tag. fedpkg should use git archive to
> > > include that in the SRPM. e.g.:
> > >
> > > Source0:
https://github.com/rpminspect/rpminspect/archive/v0.12
> >
> > Yes. This is somewhat orthogonal to the dist-git / source-git
> > question. It would be absolutely great to have this right now on top of
> > dist-git, so we don't need to do the step of 'amend Source0, spectool
-g,
> > fedpkg new-sources, git commit'.
>
> Huh? You mean have koji download sources from upstream directly?
> I don't think that's a good idea, and it doesn't have external network
> access anyway ...
>
Having autofetching by Koji would require the ability to specify the
checksum for the file in the spec, IMO:
https://github.com/rpm-software-management/rpm/issues/463
A central way to validate the source is "valid" that is portable
across systems (koji, copr, obs, etc.) would make this a lot easier to
trust.
Agreed though I would also add that checking GPG signatures on signed tags if
the tag is signed is also valuable. Those would be complementary.
Thanks,
--
David Cantrell <dcantrell(a)redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT