--- Comment #28 from Björn Persson <bj...@xn--rombobjrn-67a.se> ---
(In reply to Oleg Girko from comment #27)
> What about those who want to re-build the package from the spec file
I would recommend rebuilding from the source RPM package. Rebuilding from only
a spec isn't possible in the general case. Many packages have patches, and
sometimes there is no working URL to a source. Those will be missing if you try
to rebuild from only the spec.
> I think, the main PGP public key's checksum should be embedded into spec
> file and checked against to make sure all re-downloaded sources are correct.
That wouldn't hurt. You would want a GnuPG command – or a series of commands –
to verify that the given keyring contains a key with the given fingerprint, and
also that it doesn't contain any other keys. Can you propose such a command?
Don't forget to ensure that GnuPG will look only in the specified keyring even
if the user has a default keyring.
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
package-review mailing list -- email@example.com
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines