On Wed, Mar 30, 2016 at 02:44:44PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Wed, Mar 30, 2016 at 02:26:59PM -0000, Ralf Senderek wrote:
[snip the part I complete agree with]
> Having said the above, I also advocate a SHOULD instead of a MUST in
> the guidelines as providing a signature with the source tarball is
> voluntary for upstream and should be viewed as an additional means
> to maintain the integrity of the code that should be honoured in the
> spec file.
What the upstream does is something that we cannot control, and we can
only encourage the upstream to DTRT.
In fact signatures and license files are quite similar:
our guidelines say that the license file MUST be installed if provided
by upstream, and packagers SHOULD ask upstream to provide it if it is
missing [1]. I think we should follow this pattern for signatures.
There will always be exceptions to the "MUST check if signed" rule:
repacking the tarball is an obvious one. The guidelines should
acknowledge this.
Zbyszek
[1]
https://fedoraproject.org/wiki/Packaging:LicensingGuidelines#License_Text