/*Vít Ondruch*/ wrote on Tue, 3 Oct 2017 08:21:57 +0200:
Dne 2.10.2017 v 22:31 Hedayat Vatankhah napsal(a):
/*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200:
Dennis Gilmore <den...@ausil.us> wrote:
Today We rely on you as a packager
verifying the sources, and by uploading them directly you are saying
this is really what I intended to send you and I have ensured that it
is good. You would need to work with release engineering and
infrastucture to come up with some way to sign off on the code being
used.
Like maybe writing a hash of the tarball in the sources file (with some
help from fedpkg perhaps) and checking that in? Then a server in the
Fedora Project infrastructure could fetch the tarball from the Source
URL in the spec and verify that it matches the hash.
I think it should work & it should be easy enough.
Also, instead of 'pulling down from random machines', it'd be enough
if it is not a random machine, but packager's fedorapeople space. It'd
be enough if there is a way to upload sources from there (and possibly
remove them automatically after that).
If the sources were downloaded from somewhere, then it should be the
SourceX URL, nothing else makes sense IMHO. I know that you can create
the source archive by yourself for various reasons, but that should be
exception, not the rule ...
I'd love that, which is what COPR is already doing (AFAIK) when you
upload a SPEC. I suggested fedorapeople space if the packager is
expected to hand the sources himself.
Hedayat
Vít
_______________________________________________
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
