On Fri, Jun 25, 2021 at 7:52 AM Neal Gompa <ngomp...@gmail.com> wrote: > > On Fri, Jun 25, 2021 at 3:43 AM Zbigniew Jędrzejewski-Szmek > <zbys...@in.waw.pl> wrote: > > > > On Fri, Jun 25, 2021 at 03:49:23AM +0000, Dan Čermák wrote: > > > > > > > > > On June 24, 2021 9:22:51 PM UTC, "Miro Hrončok" <mhron...@redhat.com> > > > wrote: > > > >On 24. 06. 21 23:07, Miroslav Suchý wrote: > > > >> Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a): > > > >>>> One thing to consider is that the upstream tarballs might be > > > >cryptographically > > > >>>> signed and packages should verify the signature in %prep. > > > >>> This is a very good point - in such a case, we should always pull > > > >the > > > >>> official upstream tarball instead of generating a new one downstream > > > >> > > > >> Does it matter? If you are able to generate byte2byte identical > > > >tarball then > > > >> you can choose any of them. > > > > > > > >AFAIK git does not grantee to produce byte2byte identical archives > > > >across > > > >different versions of git, zlib, gzip etc. So even if upstream signs > > > >the git > > > >generated archive, generating a byte2byte identical one might be > > > >tricky. > > > > > > Especially with xz, which iirc has reproducibility issues in parallel > > > mode. > > > > I think we should try to push upstream to sign git tags, instead or in > > addition to tarballs. For upstreams, this is actually much easier > > (just 'git tag' → 'git tag -s' and you're done) compared to e.g. signing > > a tarball on github which requires some interaction with the web service. > > > > As an upstream, I would literally *never* GPG sign git tags. If you > ask me to do that, I won't. It's far too annoying to deal with for me > to be willing to suffer through that. > > I'm not going to ask people to do something I would be unwilling to do myself.
I am not sure what method you are using to sign things, but git GPG integration is easy, and generally gets out of the way. Justin _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
