Axel Braun wrote:
_service file is a conveniant way to manage sources for a package automatically: Change the version number in the spec file, and it gets downloaded automatically. Unfortunately this is not allowed in many devel-repos or in Factory. That means additionally I have to provide the source-tarball OR run someting like osc service localrun download_files Personally I think, that _service files provide a slightly better security and I wonder, why the a bit more secure solution is forbidden in many devel-repos. It's easier to monitor small _service files than big tarballs for modifications.
Regardless of the tarball source (upload from a developer or download by OBS via _service file), I think, that the tarballs should be verified with GPG keys or SHA checksums. This verification is enabled in some Factory packages, but not in all. See the discussion here: [opensuse-factory] Build service and checksums for source code archive verification https://lists.opensuse.org/opensuse-factory/2016-08/msg00213.html Greetings, Björn -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org