On Tue, Jun 18, 2013 at 09:59:29AM +0200, Jan Engelhardt wrote:
On Tuesday 2013-06-18 09:39, Stephan Kulow wrote:
I consider verifying the gpg signature in the spec file wasted time - at least if it's as expensive as it is, so the right way IMO is to integrate it into the source_validator.
There goes the benefit of validation...
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator - It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them. (We can leave gpg-offline in packages outside of the buildcycle though.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org