Joe Orton wrote:
If you don't enforce GPG verification at or before "fedpkg
upload" there
is no assurance that what hits the lookaside cache is trusted, so I
agree - doing this at build time is a good example of not caring about
security until it's too late.
I hope most people reading this can see the flaws in that reasoning.
But I assume the FPC is off doing its own thing and will totally
ignore
community feedback as normal,
It took a long time and some prodding, but the fact that the source
file verification policy was eventually accepted is proof that this
accusation is false.
Björn Persson