--- Comment #27 from Oleg Girko <ol+red...@infoserver.lv> ---
(In reply to Björn Persson from comment #26)
> (In reply to marco from comment #25)
> > Source12 simply downloads the key from
> > https://bitcoin.org/laanwj-releases.asc without checking the hash or
> > fingerprint, so there is no way to detect changes. What am I missing?
> You're missing the fact that RPMbuild doesn't download anything and the Koji
> builders are isolated from Internet access. All sources and patches are
> taken from the Fedora Project's Git repository and lookaside cache, and
> change only when a package maintainer uploads a new file. Our source file
> verification policy says that the keyring shall be committed to Git:
> The URL is there to document where the keyring came from, so that anyone can
> download it and verify that it's identical to the one in Git.
This looks too dependent on Fedora infrastructure.
What about those who want to re-build the package from the spec file on their
computer (and download all necessary sources using spectool)?
What about those who want to re-build the package using OBS and download_files
I think, the main PGP public key's checksum should be embedded into spec file
and checked against to make sure all re-downloaded sources are correct.
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list -- firstname.lastname@example.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines