Re: Fedora Source-git SIG report #1 (June 2021)

Fri, 25 Jun 2021 06:05:15 -0700 


Le 6/25/21 à 2:51 PM, Neal Gompa a écrit :

On Fri, Jun 25, 2021 at 3:43 AM Zbigniew Jędrzejewski-Szmek
<zbys...@in.waw.pl> wrote:


On Fri, Jun 25, 2021 at 03:49:23AM +0000, Dan Čermák wrote:



On June 24, 2021 9:22:51 PM UTC, "Miro Hrončok" <mhron...@redhat.com> wrote:

On 24. 06. 21 23:07, Miroslav Suchý wrote:

Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a):

One thing to consider is that the upstream tarballs might be

cryptographically

signed and packages should verify the signature in %prep.

This is a very good point - in such a case, we should always pull

the

official upstream tarball instead of generating a new one downstream


Does it matter? If you are able to generate byte2byte identical

tarball then

you can choose any of them.


AFAIK git does not grantee to produce byte2byte identical archives
across
different versions of git, zlib, gzip etc. So even if upstream signs
the git
generated archive, generating a byte2byte identical one might be
tricky.


Especially with xz, which iirc has reproducibility issues in parallel mode.


I think we should try to push upstream to sign git tags, instead or in
addition to tarballs. For upstreams, this is actually much easier
(just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing
a tarball on github which requires some interaction with the web service.



As an upstream, I would literally *never* GPG sign git tags. If you
ask me to do that, I won't. It's far too annoying to deal with for me
to be willing to suffer through that.

I'm not going to ask people to do something I would be unwilling to do myself.


What about only version tags? You could do some git/bash alias to create commit 
version + signed tag at once. For example, we do that on Qubes OS and that's 
not more work that just committing the version.

Best,
Frédéric




Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

























					Reply via email to