On Fri, 2016-08-26 at 21:54 +0200, Axel Braun wrote:
Regardless of the tarball source (upload from a developer or download by OBS via _service file), I think, that the tarballs should be verified with GPG keys or SHA checksums. This verification is enabled in some Factory packages, but not in all.
That makes perfectly sense.
Not all upstreams provide a signature - for the ones that do, I agree, we should use them. But it's at the maintainers to verify that there ARE signatures and use them. The infrastructure is ready - sigs are verified upon submission to Factory and as the package can't change there without a submission, it's gauranteed to stay valid (but can of cource be verified at any given point in time)
See the discussion here: [opensuse-factory] Build service and checksums for source code archive verification https://lists.opensuse.org/opensuse-factory/2016-08/msg00213.html
But coming back to the original scope of the mail - why automatic service runs are not allowed in Factory. I would have expected the whole community of package maintainers to step-up and grill me. Except Björn's comment I saw a mail from Oliver https://lists.opensuse.org/opensuse-factory/2016-08/msg00428.html complaining basically about the same fact.
So, if we dont have hard reasons to give away this nice feature , why cant we enable it by default? Or at least, not complain about it in factory?
For Factory it's a no-go: we have to guarantee that source will never change except by means of a submission from a devel project. With enabled services we risk that any given package might just 'updated to latest git master' (possibly involving user error, but still). You have to understand that any such thing would more than just invalidate the entire staging and pre-integration testing workflows we do. Services can be a great aid - but I don't see them fit in maintaining a project like Tumbleweed. Cheers, Dominique