Hello community, here is the log from the commit of package gpg-offline for openSUSE:Factory checked in at 2012-12-14 07:37:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg-offline (Old) and /work/SRC/openSUSE:Factory/.gpg-offline.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg-offline", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/gpg-offline/gpg-offline.changes 2012-11-30 12:21:09.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gpg-offline.new/gpg-offline.changes 2012-12-14 07:37:09.000000000 +0100 @@ -1,0 +2,5 @@ +Mon Dec 3 21:31:00 CET 2012 - [email protected] + +- PACKAGING.HOWTO improved. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg-offline.PACKAGING.HOWTO ++++++ --- /var/tmp/diff_new_pack.T1TwnY/_old 2012-12-14 07:37:11.000000000 +0100 +++ /var/tmp/diff_new_pack.T1TwnY/_new 2012-12-14 07:37:11.000000000 +0100 @@ -15,6 +15,9 @@ Package review Automatic check Build Service use + Use %if in spec file + Use aggregate package + Use prjconf trick @@ -23,8 +26,31 @@ GPG signature verification expects presence of signer in the web of trust. It is often not true for packaging upstream packages. So you have -to trust them using inferior methods, e. g. time continuity: Signature -downloaded a year ago uses the same signing key as the current one. +to trust them using inferior methods. + +The first time step is very security-sensitive: You define your package +keyring - a list of trusted keys, that can be used by the upstream to +sign the source of your package. Check carefully that you are not adding +a malicious keys there. + +Be paranoid! The %gpg_verify is able to detect hacked source on the +upstream servers (and such bad thing really already happened, see +http://scarybeastsecurity.blogspot.cz/2011/07/alert-vsftpd-download-backdoored.html !), +but it is not able to detect maliciously uploaded false signature on the +key servers. + +If the upstream author is in your web of trust, you are on a safe side. +But if he/she is not in your web of trust, you have to use alternative +ways to trust the key: +- If you can mail to the author and verify the key, it is very probably + an authorized signature. +- If the signing key is the same as the one used a year ago, it is + probably an authorized signature. +- If the signing key was used in mailing list many times to sign + developer mails, or at least it was announced there, it is probably an + authorized signature. +- If you can find the public key or footprint on more servers on + different hostings, it is probably an authorized signature. Prepare if I have only a trusted signature @@ -81,6 +107,7 @@ ~/OSC/openSUSE:Factory/apache2> mv apache2.keyring.new apache2.keyring ~/OSC/openSUSE:Factory/apache2> + Common step: create spec file - - - - - - - - - - - - - - - @@ -126,7 +153,7 @@ Signing key was changed in upstream --------------------------------- +----------------------------------- If the signing key changed in upstream (new signature, expiration change etc., please use gpg-offline --refresh command. @@ -188,9 +215,64 @@ Build Service use ----------------- -If you need to build your package for older products and don't want to -mess spec file with %ifs, you can link or aggregate gpg-offline from -devel:tools:building or use following trick with "osc meta prjconf": +If you need to build your package for older products, you have three ways to do it: + +Use %if in spec file +- - - - - - - - - - + +The simplest straightforward way is the use conditional BuildRequires. + +Source1: http://{url_path_to_your_project}/%{name}-%{version}.tar.bz2.sig +Source2: %{name}.keyring +%if 0%{?suse_version} > 1220 +BuildRequires: gpg-offline +%endif + +And %prep section should perform the verification step if the macro is defined: + +%prep +%if 0%{?gpg_verify:1} +%gpg_verify %{S:1} +%endif +%setup -q + + +Use aggregate package +- - - - - - - - - - - + +Aggregate package + +osc aggregatepac devel:tools:building gpg-offline {my_project} + +It is recommended to disable publishing of this helpers, either in the +web interface, or by calling of: + +osc meta pkg {my_project} gpg-offline -e + +and adding publish disabling XML code: + ++ <publish> ++ <disable/> ++ </publish> + </package> + + +If you are using obscure build targets, you may want to use linkpac +instead of aggregatepac. In this case you need to disable the package +build by default and enabling it for all repositories older or equal to +12.2. You should disable publishing as above as well. + + +Use prjconf trick +- - - - - - - - - + +If you don't want to mess spec file with %ifs and don't want to link or +aggregate gpg-offline from devel:tools:building, you can use following +trick. Call following command: + +osc meta prjconf {my_project} -e + +And add to it following code: --- Cut here ---- %if 0%{?suse_version} <= 1220 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
