Dennis Gilmore <den...@ausil.us> wrote:
> Today We rely on you as a packager
> verifying the sources, and by uploading them directly you are saying
> this is really what I intended to send you and I have ensured that it
> is good.  You would need to work with release engineering and
> infrastucture to come up with some way to sign off on the code being
> used.

Like maybe writing a hash of the tarball in the sources file (with some
help from fedpkg perhaps) and checking that in? Then a server in the
Fedora Project infrastructure could fetch the tarball from the Source
URL in the spec and verify that it matches the hash.

Björn Persson

Attachment: pgpgg3jeDBRJz.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to