--- Comment #25 from marco <> ---
> packagers must be very careful when a release-signing key changes

Source12 simply downloads the key from
without checking the hash or fingerprint, so there is no way to detect changes.
What am I missing?

> To my slight surprise I found that the tarball from Github is identical to 
> the one on (and on

I think this is only a coincidence for the 0.20.0 release. All other releases
should not match, which is why I assumed the download sources are identical.

> I don't see any statement that Hockeypuck has a solution to the spam attack

Good point, personally I can recommend,
which claim to be resistant to those attacks ( )

Not sure, but might have solved the attack by disabling
key updates, which could lead to problems should the key ever be revoked.

Though generally, as long as the fingerprint matches, it should be possible to
download the key from any source with reliable uptime.

You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to