fedora-rpmdevtools (was RE: spectool-1.0.2)
Erik LaBianca
erik at totalcirculation.com
Wed Mar 10 22:09:12 UTC 2004
> > I'd say we should just make a format that we expect .src.rpm and
md5sum
> > announcements in, and ask people to conform to that. I think quick
and
> > effective QA will be sufficient incentive.
>
> For average size packages, MD5 checksums and GPG signatures are not
> needed at all. The included tarball and maybe 1-2 patches can and must
be
> verified. Signatures get important for large packages, which include
lots
> of patches, for instance.
>
Given all the rhetoric on this list and on the fedora.us website, I see
no reason why rpm signatures on packages and md5sums should not be
required. They're easy to create. If they're not going to be required,
then we need to relax the requirements[1,2,3] for GPG signing everything
that goes into bugzilla too. Who determines when a package is "large
enough" to require a valid signature?
IMO, this kind of ambiguity is killing the project. It's impossible to
streamline a workflow when you allow for every possibility under the sun
at every step.
Personally, I feel that package submissions should be GPG-signed, and we
should eliminate posting the md5sums for the .src.rpm. Clearsigned
md5sums provide some assurance that the author hasn't changed the
package since it was QA'd, and provide a valuable addition to the QA
review, but not the initial package submission.
[1] http://www.fedora.us/wiki/PackageSubmissionQAPolicy
[2] http://www.fedora.us/pipermail/fedora-devel/2003-March/000459.html
[3] http://www.fedora.us/wiki/PUBLISHCriteria
--erik
More information about the fedora-devel-list
mailing list