On Tue, 2016-03-22 at 22:45 +0100, Björn Persson wrote:
I suppose so, at least if the key is specified as only a filename. What
will it do if a URL to the key is provided, and the key at that location
has been modified? Will it replace the key with the modified one in the
scratch build, …
That behaviour would be... suboptimal.
The key (or at least its fingerprint) should be committed directly to
pkg git after being obtained through some trusted method — which
depends on how upstream publishes it. For reference, I put a couple of
examples
into https://fedorahosted.org/fpc/ticket/610#comment:6
--
David Woodhouse Open Source Technology Centre
David.Woodhouse(a)intel.com Intel Corporation