On Tue, Jul 5, 2011 at 7:43 PM, Benjamin Lewis <ben.le...@benl.co.uk> wrote: > On 07/05/2011 05:15 PM, Adam Williamson wrote: >> >> I didn't see any suggestion that packages be *required* to have a >> signature, only that we somehow run an automated check on one if there >> is one. >> >> Rather than making specific Source numbers special case, why not just go >> on naming? The convention for signatures is to add an extension to the >> name of the tarball the signature is for; that shouldn't be too hard to >> implement, I don't think. > > Surely the automated testing tool would need a way of being fed > known-trusted public keys in advance as well?
Unless my memory is failing me, we already had a mechanism for this (specifying the trusted keys and verifying signatures) in the CVS package repository (in Makefile.common). Perhaps most of that could be reused. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
