diff options
| author | Todd Zullinger <tmz@pobox.com> | 2016-03-27 15:04:55 -0400 |
|---|---|---|
| committer | Todd Zullinger <tmz@pobox.com> | 2016-03-27 21:31:56 -0400 |
| commit | f5bc9a83835bae48836be2b3426ee87842c698fc (patch) | |
| tree | f8bbb5e5d6b4887825321085f8c4b3396513ed4a /sources | |
| parent | a823c54d04289fc13ecf8a2cf3931d47d24be407 (diff) | |
| download | git-package-verify-gpg-signatures.tar.gz git-package-verify-gpg-signatures.tar.xz git-package-verify-gpg-signatures.zip | |
Check upstream GPG signatures in %prepverify-gpg-signatures
Many years ago, the GPG signature file was included in the source list¹.
A compromise at kernel.org caused the tarballs to move to googlecode.com
for a number of releases and the signatures were not provided in an
easily downloaded format². When the source location was moved back to
kernel.org, the signature file had already been removed from the spec
file and was not re-added³.
There is an effort underway to make GPG signature verification a
requirement when upstream provides signatures⁴. Regardless of whether
this becomes a requirement in the packaging guidelines, verification of
upstream signatures makes good sense. It also makes the process easier
for git package maintainers, who are (or should be ;) doing this
manually for each upstream git release.
While adding the signatures to the source list, all non-upstream source
files were moved to Source10 and above. This should make it easier to
add new upstream source files in the future, avoiding the need for
tedious (and error-prone) renumbering of existing sources.
Remove the unused entry for Patch14 also.
¹ ea3f253 Include gpg signature for tarball in SRPM (2011-08-26)
² c57f383 Update to 1.7.9.1 (2012-02-15)
³ b741f45 Change source URLs, as googlecode doesn't have up-to-date
tarballs (2014-06-10)
⁴ https://fedorahosted.org/fpc/ticket/610
https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2TBK4LLNRH73QJQSXWFPCQYHGTSJ3C7P/
Diffstat (limited to 'sources')
| -rw-r--r-- | sources | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -1,3 +1,6 @@ b0219fcb6d73104361f4fbdba3741d00 git-2.7.4.tar.xz d37654c45897afa4501fe7bc138b576f git-htmldocs-2.7.4.tar.xz 52507ee81f9aac0abf85160398cd3e81 git-manpages-2.7.4.tar.xz +ed0dffdb32bc3c49673947ed99d421af git-2.7.4.tar.sign +717564d0ffd3cc2416df28ff73234be3 git-htmldocs-2.7.4.tar.sign +d5d42db9e7923a0ce8a0b0210d62d5e5 git-manpages-2.7.4.tar.sign |