On Thu, Jul 13, 2017 at 11:55:52AM -0400, Randy Barlow wrote:
On Thu, 2017-07-13 at 00:36 +0200, Kevin Kofler wrote:
> Koji will take care of the signing for Flatpaks
> built in Koji as it does for RPMs built in Koji.
So there is change really.
Before: developers sign tarball, packagers authenticate to Fedora, Fedora signs rpm
With flatpacks: developers sign tarball, packagers authenticate to Fedora, Fedora signs
flatpack
Same amount of links of trust, same amount of signatures. No?
> Sigul[0] is actually the system that signs the packages. They are
> placed into a Koji tag when they need to be signed, and when Sigul is
> done signing them it moves them into a new Koji tag.
>
> [0] https://pagure.io/sigul