fedora-rpmdevtools (was RE: spectool-1.0.2)
Michael Schwendt
ms-nospam-0306 at arcor.de
Wed Mar 10 23:26:00 UTC 2004
On Wed, 10 Mar 2004 17:09:12 -0500, Erik LaBianca wrote:
> > For average size packages, MD5 checksums and GPG signatures are not
> > needed at all. The included tarball and maybe 1-2 patches can and must be
> > verified. Signatures get important for large packages, which include lots
> > of patches, for instance.
>
> Given all the rhetoric on this list and on the fedora.us website, I see
> no reason why rpm signatures on packages and md5sums should not be
> required. They're easy to create. If they're not going to be required,
> then we need to relax the requirements[1,2,3] for GPG signing everything
> that goes into bugzilla too.
That's not the point. Clearsigned GPG reviews/approvals are easy to
create, too. Yet GPG is considered one of the hurdles to "doing QA". It is
also not my intention to start a tiresome discussion of policies. It is my
personal opinion as a reviewer, that--although I check whether a src.rpm
is signed--I rely on checking the contents of the src.rpm, because the
signature doesn't add any safety for me as a reviewer. Neither does a
posted MD5 digest. The single important step is to indentify an approved
package with its MD5 or SHA1 fingerprint.
> Who determines when a package is "large
> enough" to require a valid signature?
Common sense.
It's not a question of whether to "require a signature". It's a question
of when a signature would make sense.
> IMO, this kind of ambiguity is killing the project.
So far the critics say that too many policies turn the project into
something that's too complicated. If you require packagers and reviewers
to use a specific format for their package requests and reviews, that will
be the target of additional criticism.
> It's impossible to
> streamline a workflow when you allow for every possibility under the sun
> at every step.
Everybody has different requirements.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040311/80db2502/attachment.sig>
More information about the fedora-devel-list
mailing list