-----BEGIN PGP SIGNED MESSAGE-----
On Jun 28, 2007, at 8:55 AM, Jesse Keating wrote:
On Thursday 28 June 2007 08:44:09 Till Maas wrote:
> What should go wrong when someone with the gpg key signs the rpms?
> And the
> rpms are really trivial, so it is easy to verify them once. And
> afaik they
> are not updated very often, so it is not much work.
The answer isn't to sign these rpms which don't exist anywhere else
distribution. The answer is to add a "buildsys-build" group or
named group to the comps file and define what packages should be in
that way, and have mock just do a 'groupinstall buildsys-build',
pull from the shipped repos. This does away with the need of a
repo all together, relies upon the shipped / signed rpms, and
of defining groups.
This is how mock used to work (albeit using yumgruops.xml instead of
comps.xml), and it was decided (on fedora-buildsys-list, IIRC) that
it would be better to use an RPM to define the base buildroot packages.
Personally, I feel that having an external 'buildgroups' repo lends
itself well to those of us that may wish to modify the packages which
get installed by mock by default. If Fedora does change how mock
reads in this information, I would hope that it remains configureable
in some way -- for example, if there is a 'groups' repo listed in a
mock config, then use that instead of what's defined in comps.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
-----END PGP SIGNATURE-----