https://bugzilla.redhat.com/show_bug.cgi?id=1272235
--- Comment #3 from Zbigniew Jędrzejewski-Szmek zbyszek@in.waw.pl --- (In reply to Miroslav Suchý from comment #2)
I think it is very useful and increases security of various cross-distro installation. I wonder though whether not to remove Fedora and EPEL keys from this, since they will be included in fedora-repos, or maybe to add a check to make sure that they are identical in both packages.
bug 1246701 speaks just about old fedora keys, not about epel IIRC.
Oh, right, fedora-repos is only about Fedora repos and keys.
Regarding packaging:
- why not use a github tarball directly? It's much nicer than to force a git
clone and additional steps.
Because github tarball checksum was not stable in past (not sure if this changed recently). Also the URL is changing nearly each year. At least the URL we should use as suggested by Fedora Guidelines. And I do not use or create tar.gz at all. I just wrote tito --srpm and it will craft (binary identical) tar.gz for me.
The tarballs are stable, and are actually recommended by the guidelines. https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags