On Tue, Mar 22, 2016 at 06:01:28PM +0100, Björn Persson wrote:
David Woodhouse wrote:
> Our packaging guidelines really ought to mandate that *if* upstream
> publishes GPG or PKCS#7/CMS signatures of source tarballs, then the
> package *must* verify those signatures as part of %prep.
I suppose the point of this would be that others can see that the
verification has been done, right?
It also makes it easier with (co)maintainers to establish a
trust-on-first-use signature verification model. For example I added the
GPG key for youtube-dl to the spec file and the co-maintainer or current
maintainer just needs to update the tarball and the signature to be sure
that only a trusted tarball will be used. Also it allows to easily
verify the tarball using fedpkg prep or fedpkg local.
I guess it might even make the new hotness do scratch builds with
verified tarballs, since iirc it updates both the tarball and the
signature and then %prep makes sure that they are verified.
Kind regards
Till