Am Donnerstag, 5. Mai 2011, 10:30:20 schrieb Sascha Peilicke:
Le mercredi 04 mai 2011, à 16:59 +0200, Michal Marek a écrit :
I understand this, but I my use case, I never want to upload the tarball to the buildservice, so there would be no conflict. The server would simply download the missing file.
If we want to support this, then I think using something like the verify_file (which checks the checksum of a file) service would be needed: it's important that what the build service downloads matches what you expected it to download. I talked with Michael about this about a month ago, this could be moved into
On Wednesday 04 May 2011 17:13:35 Vincent Untz wrote: the spec file too as an annotation. While I forget the exact 'annotation' syntax, it could look like this:
#Source0-MD5: 1234567890 #Source0-SHA1: 0987654321 Source0: http://example.com/foo-0.1.tar.gz
Yes, we could support this via a service as well, but where is the sense if we track (at least md5) in our history anyway already ? It would be more interessting to maintain a defined set of gpg keys, where we have verified that they are from upstream projects and use them for validation (if the project is signing their tar balls at all). -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org