[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: RFC: fedora.us QA approval format



> > > - Download of the sources, with md5sum check
> >
> > Maybe the download should't be automatic, such that it is possible
to
> check
> > that the download url is really the right url (presumably searching
> first the
> > project home page with google, in order not to use the url provided
in
> the
> > srpm, and verifying that it is the right download page), and not one
> with
> > bad package ?

Re: automatic downloading. My thought is that it's fine to be automatic,
since we print out the url that was downloaded in the TODO section to be
checked manually by the user as they see fit. 

The TODO list is currently eliminated in batch mode, but not for long.

> 
> Reviewers should also notice when upstream projects provide detached
GPG
> signatures, which can be used to verify the published tarballs.
> 

Agreed. I think it's going to have to be left up to the documentation
for now though, since I'm not aware of many standards for how this is
done. We could probably check for SRPMFILENAME.sig or something though,
I guess. Any thoughts?

--erik




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]