On Fri, May 08, 2020 at 04:28:37PM -0400, Neal Gompa wrote:
On Fri, May 8, 2020 at 4:25 PM Fabio Valentini decathorpe@gmail.com wrote:
On Fri, May 8, 2020 at 9:55 PM Zbigniew Jędrzejewski-Szmek zbyszek@in.waw.pl wrote:
On Fri, May 08, 2020 at 03:12:15PM -0400, David Cantrell wrote:
WHAT I WANT TO BE ABLE TO DO:
- View Fedora's dist-git repos as authoritative for packages built for Fedora. That is, I want to see a package on my Fedora system and be able to visit its dist-git repo to see how it's packaged.
Well said.
Make the lookaside cache optional. For SourceX lines, I want to be able to specify a git URL to a specific tag. fedpkg should use git archive to include that in the SRPM. e.g.:
Source0: https://github.com/rpminspect/rpminspect/archive/v0.12
Yes. This is somewhat orthogonal to the dist-git / source-git question. It would be absolutely great to have this right now on top of dist-git, so we don't need to do the step of 'amend Source0, spectool -g, fedpkg new-sources, git commit'.
Huh? You mean have koji download sources from upstream directly? I don't think that's a good idea, and it doesn't have external network access anyway ...
Having autofetching by Koji would require the ability to specify the checksum for the file in the spec, IMO: https://github.com/rpm-software-management/rpm/issues/463
A central way to validate the source is "valid" that is portable across systems (koji, copr, obs, etc.) would make this a lot easier to trust.
Agreed though I would also add that checking GPG signatures on signed tags if the tag is signed is also valuable. Those would be complementary.
Thanks,