svn or arch
Colin Walters
walters at redhat.com
Sat Dec 18 02:03:22 UTC 2004
On Sat, 2004-12-18 at 02:11 +0100, Enrico Scholz wrote:
> How? Signing the data-transfer can not be compared with SRPM signing.
In Arch for example, each individual changeset is signed with a GPG
signature. What is the threat that SRPM signing solves that Arch
changeset signing doesn't?
> >> - SRPM give you reproducibility, CVS not
> >
> > Not true if you can map NVR->CVS tag.
>
> You do not know if somebody renamed the tag between two checkouts.
This is a CVS flaw, to be sure. But moving a tag should never happen;
we'd build a bit of intelligence into our tools to double-check this.
> >> - SRPM are buildable with system-tools (rpmbuild); for CVS you need lots
> >> of prerequisites.
> >
> > Not necessarily. We could just stick the necessary scripts in the
> > common/ dir or whatever. Or just include the necessary tools in an
> > updated rpmbuild.
>
> You will still need online-access.
No, you don't. You do a CVS checkout, and then build on your local
machine. How is that different from SRPM?
More information about the fedora-devel-list
mailing list