On 04.12.2012 09:26, Michal Vyskocil wrote:
On Mon, Dec 03, 2012 at 08:33:25PM +0100, Stanislav Brabec wrote:
Stanislav Brabec wrote:
I just implemented signature verification for all packages, that already contained signature and/or trusted keyring. But I did not verify, that signature submitted by packagers is the signature of the real author.
Just a hint for people, who got one of these request:
If you want to build package for older SUSE versions and don't want to link or aggregate gpg-offline to your devel projects nor use ugly prjconf trick, feel free to add %if statements to your spec file.
Example:
Source2. %{name}.keyring +%if 0%{?suse_version} > 1220 BuildRequires: gpg-offline +%endif
If we accept the verification is applied for Factory packages only, maybe coolo can call it from factory-auto scripts? Then we don't need to pollute BuildRequires and %prep - the downside is it won't work on devel projects, or in plain rpm as your approach.
CCying coolo: what do you thing?
This actually sounds like to be put in the source validator or a similiar source service that runs on checkin. And that I can then call from factory-auto I agree that ugly %suse version %preps are not worth the extra felt security - especially as we do no checks about the keyring whatsoever. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org