From Fedora Project Wiki

Revision as of 19:28, 14 June 2010 by Mdomsch (talk | contribs) (initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Proposal to address concerns that the upstream source tarballs may get compromised at some point in time (including while in our SCM lookaside cache). UnrealIRCd is currently facing such a problem.

  1. Include the upstream source's tarball GPG signature file as a SourceN file in the spec.
  2. Include the upstream GPG public key as a SourceN file in the spec.
  3. Commit the upstream GPG public key to the SCM. Do not copy it into the lookaside cache. (Subject to debate).
  4. Commit the GPG signature file to the SCM. Do not copy it into the lookaside cache. (Subject to debate).
  5. Add capability to rpmbuild to import the GPG key and verify that the GPG signature matches. rpmbuild cannot (and need not) validate GPG key ownership.
  6. Add capability to rpmlint to import the GPG key and verify that the GPG signature matches in the SRPM. rpmlint cannot (and need not) validate GPG key ownership.