Dne 3.10.2017 v 08:21 Vít Ondruch napsal(a): > > Dne 2.10.2017 v 22:31 Hedayat Vatankhah napsal(a): >> /*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200: >>> Dennis Gilmore <den...@ausil.us> wrote: >>>> Today We rely on you as a packager >>>> verifying the sources, and by uploading them directly you are saying >>>> this is really what I intended to send you and I have ensured that it >>>> is good. You would need to work with release engineering and >>>> infrastucture to come up with some way to sign off on the code being >>>> used. >>> Like maybe writing a hash of the tarball in the sources file (with some >>> help from fedpkg perhaps) and checking that in? Then a server in the >>> Fedora Project infrastructure could fetch the tarball from the Source >>> URL in the spec and verify that it matches the hash. >> I think it should work & it should be easy enough. >> >> Also, instead of 'pulling down from random machines', it'd be enough >> if it is not a random machine, but packager's fedorapeople space. It'd >> be enough if there is a way to upload sources from there (and possibly >> remove them automatically after that). > If the sources were downloaded from somewhere, then it should be the > SourceX URL, nothing else makes sense IMHO. I know that you can create > the source archive by yourself for various reasons, but that should be > exception, not the rule ... > > > Vít
Actually, just submitting rebase PR in Pagure dist-git, this should be implemented although from completely different reasons. Let me explain. If I submit my PR there are two scenarios: 1) I don't upload the sources myself, the package will become FTBFS after the merge, since it won't find the sources 2) I upload the sources, but a) the PR never gets merged. This is waste of resources if nothing else, but b) the sources contains something inappropriate (we try to encourage everybody to submit PR, no matter on experiences etc, right?), now we have the sources in cache and they need to be expelled manually ... Actually has the submitter always the right to upload the sources? Dunno .... Based on this, I think this should be reconsidered. Vít _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
