--- Comment #27 from Oleg Girko <> ---
(In reply to Björn Persson from comment #26)
> (In reply to marco from comment #25)
> > Source12 simply downloads the key from
> > without checking the hash or
> > fingerprint, so there is no way to detect changes. What am I missing?
> You're missing the fact that RPMbuild doesn't download anything and the Koji
> builders are isolated from Internet access. All sources and patches are
> taken from the Fedora Project's Git repository and lookaside cache, and
> change only when a package maintainer uploads a new file. Our source file
> verification policy says that the keyring shall be committed to Git:
> #_source_file_verification
> The URL is there to document where the keyring came from, so that anyone can
> download it and verify that it's identical to the one in Git.

This looks too dependent on Fedora infrastructure.
What about those who want to re-build the package from the spec file on their
computer (and download all necessary sources using spectool)?
What about those who want to re-build the package using OBS and download_files
source service?
I think, the main PGP public key's checksum should be embedded into spec file
and checked against to make sure all re-downloaded sources are correct.

You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to