https://bugzilla.redhat.com/show_bug.cgi?id=1834731



--- Comment #28 from Björn Persson <bj...@xn--rombobjrn-67a.se> ---
(In reply to Oleg Girko from comment #27)
> What about those who want to re-build the package from the spec file

I would recommend rebuilding from the source RPM package. Rebuilding from only
a spec isn't possible in the general case. Many packages have patches, and
sometimes there is no working URL to a source. Those will be missing if you try
to rebuild from only the spec.

> I think, the main PGP public key's checksum should be embedded into spec
> file and checked against to make sure all re-downloaded sources are correct.

That wouldn't hurt. You would want a GnuPG command – or a series of commands –
to verify that the given keyring contains a key with the given fingerprint, and
also that it doesn't contain any other keys. Can you propose such a command?
Don't forget to ensure that GnuPG will look only in the specified keyring even
if the user has a default keyring.


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/package-review@lists.fedoraproject.org

Reply via email to