svn or arch

Colin Walters walters at redhat.com
Sat Dec 18 02:03:22 UTC 2004


On Sat, 2004-12-18 at 02:11 +0100, Enrico Scholz wrote:

> How? Signing the data-transfer can not be compared with SRPM signing.

In Arch for example, each individual changeset is signed with a GPG
signature.  What is the threat that SRPM signing solves that Arch
changeset signing doesn't?

> >> - SRPM give you reproducibility, CVS not
> >
> > Not true if you can map NVR->CVS tag.
> 
> You do not know if somebody renamed the tag between two checkouts.

This is a CVS flaw, to be sure.  But moving a tag should never happen;
we'd build a bit of intelligence into our tools to double-check this.

> >> - SRPM are buildable with system-tools (rpmbuild); for CVS you need lots
> >>   of prerequisites.
> >
> > Not necessarily.  We could just stick the necessary scripts in the
> > common/ dir or whatever.  Or just include the necessary tools in an
> > updated rpmbuild.
> 
> You will still need online-access. 

No, you don't.  You do a CVS checkout, and then build on your local
machine.  How is that different from SRPM?





More information about the fedora-devel-list mailing list