--- Comment #28 from Björn Persson <> ---
(In reply to Oleg Girko from comment #27)
> What about those who want to re-build the package from the spec file

I would recommend rebuilding from the source RPM package. Rebuilding from only
a spec isn't possible in the general case. Many packages have patches, and
sometimes there is no working URL to a source. Those will be missing if you try
to rebuild from only the spec.

> I think, the main PGP public key's checksum should be embedded into spec
> file and checked against to make sure all re-downloaded sources are correct.

That wouldn't hurt. You would want a GnuPG command – or a series of commands –
to verify that the given keyring contains a key with the given fingerprint, and
also that it doesn't contain any other keys. Can you propose such a command?
Don't forget to ensure that GnuPG will look only in the specified keyring even
if the user has a default keyring.

You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to