-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-15 17:09, Greg Freemyer wrote:
On November 15, 2014 10:14:12 AM EST, "Carlos E. R." <> wrote:
Carlos,
The question relates to the gpg signature of the tarball used to create the rpm, not the rpm's signature.
Ah, I see, thanks.
The mechanism adopted Feb 2013 is that if the Source: field of a specfile has the fully defined URL in it, then a redundant copy of the fastball is pulled directly from the source URL at key times and the signature of the tarball is compared to the signature of the tarball uploaded to OBS by the packager.
It prevents the intentional or unintentional inclusion of modifications in a tarball.
Quite reasonable. Then I have no opinion to offer :-) If I may so, though, redundant security checking is (normally) a good thing (TM). - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRoznMACgkQtTMYHG2NR9UZhQCbBpJV0xjgqpS7bobTIt4iMVW/ cnMAnREcFrec03sQE6NrIG8+U0NZw4vz =0xqk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org