--- Comment #26 from Björn Persson <> ---
(In reply to marco from comment #25)
> Source12 simply downloads the key from
> without checking the hash or
> fingerprint, so there is no way to detect changes. What am I missing?

You're missing the fact that RPMbuild doesn't download anything and the Koji
builders are isolated from Internet access. All sources and patches are taken
from the Fedora Project's Git repository and lookaside cache, and change only
when a package maintainer uploads a new file. Our source file verification
policy says that the keyring shall be committed to Git:

The URL is there to document where the keyring came from, so that anyone can
download it and verify that it's identical to the one in Git.

You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to