On November 15, 2014 10:14:12 AM EST, "Carlos E. R."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-11-15 15:38, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
I hope that the gpg signature is still included with the published rpm, and that you are not talking of removing it. And if included, it should be verified at least one time before publishing, to ensure that it is correct. Ie, gpg not validated -> stop publishing.
Carlos, The question relates to the gpg signature of the tarball used to create the rpm, not the rpm's signature. The mechanism adopted Feb 2013 is that if the Source: field of a specfile has the fully defined URL in it, then a redundant copy of the fastball is pulled directly from the source URL at key times and the signature of the tarball is compared to the signature of the tarball uploaded to OBS by the packager. It prevents the intentional or unintentional inclusion of modifications in a tarball. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org