RFC: fedora.us QA approval format
Warren Togami
warren at togami.com
Sat Apr 3 02:10:12 UTC 2004
Michael Schwendt wrote:
> On Fri, 2 Apr 2004 10:38:54 +0200, Patrice Dumas wrote:
>
>
>>>- Download of the sources, with md5sum check
>>
>>Maybe the download should't be automatic, such that it is possible to check
>>that the download url is really the right url (presumably searching first the
>>project home page with google, in order not to use the url provided in the
>>srpm, and verifying that it is the right download page), and not one with
>>bad package ?
>
>
> Reviewers should also notice when upstream projects provide detached GPG
> signatures, which can be used to verify the published tarballs.
>
>
Reviewers should also harass upstream projects into providing GPG
signatures "or else". =)
We managed to convince gaim and scribus, but few other people...
Warren
More information about the fedora-devel-list
mailing list