On Sun, Sep 24, 2017 at 10:56:45AM +0330, Hedayat Vatankhah wrote:
Dear all,
Currently, AFAIK, the suggested method to upload new sources for a package
is using 'fedpkg new-sources' which uploads new sources from your local
system. I wonder if there is a method to upload new sources from a URL
rather than your local filesystem? It is specially useful for large
packages.
It's an interesting idea but then it would become quite hard to check if there
is a mitm attack of some sort. With the current process, at least the packager
has the possibility to check the sources locally before uploading them into
Fedora.
The solution would be to provide the sha + the url and let the down be server
side but that won't save you from downloading the sources locally first.
Pierre