On 3/15/19 9:58 AM, Daniel Kahn Gillmor wrote:
On Fri 2019-03-15 02:53:28 +0100, Adam Majer wrote:
adding explicit checks would add an extra BuildRequires in the build
process to pull in gpg, which is excessive.
It shouldn't require gpg; it should only pull in gpgv, which is already
on the base system, no? And once the "small file" is checked, it would
then require sha256sum (or the equivalent) to verify the tarball itself;
on any modern system, that's likely to be available anyway
(e.g. coreutils' sha256sum or "openssl dgst" or whatever).
# osc chroot
running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su -
abuild
# gpgv
-bash: gpgv: command not found
With openSUSE, the closest thing to a base system for building would be
in this log,
https://build.opensuse.org/build/home:adamm:boost_test/openSUSE_Tumbleweed/x86_64/boost-defaults/_log
Since this is just a dependency package, it has no BuildRequires. The
base system is just what is needed to run rpm, rpmlint, etc. so 122
packages. No gpgv or gpg or python or ruby. Only gcc, perl, rpm.
Instead of reverting, how about distributing the .asc file and an
inline signed checksum file?
The checksum file (*.sha256.asc) that is distributed by notmuch is
already inline-signed (please read my proposed verification step
upthread), so that part's done. (notmuch does *also* ship an unsigned
*.sha256 file, which i agree doesn't serve much purpose and could be
dropped)
Sorry, I meant clear signed and inline. The checksum file could just be
*.sha256 and be itself clear signed. Then people see as a checksum file
and when they look inside, they see it as signed. There is no reason to
have the checksum file encoded.
The (my?) expectation is that a *.asc file is a detached signature.
That's why GPG is warning when it is not a detached signature. But I can
live with .sha256.asc if there is no .sha256 ;)
- Adam
_______________________________________________
notmuch mailing list
[email protected]
https://notmuchmail.org/mailman/listinfo/notmuch
