How are Fedora RPM packagess verified in RPMFusion buildsys?
Jarod Wilson
jarod at wilsonet.com
Mon Feb 1 23:07:17 CET 2010
On Mon, Feb 1, 2010 at 3:57 PM, Stewart Adam <maillist at diffingo.com> wrote:
> On 2010/02/01 3:57 AM, Till Maas wrote:
>>
>> Hiyas,
>>
>> On Wed, Jan 13, 2010 at 02:42:26PM +0100, Till Maas wrote:
>>
>>> I just wondered how the RPM packages from Fedora used in RPMFusion
>>> buildroots are verfied on the RPMFusion builders. Fedora uses direct
>>> access to the RPM packages via a secure channel afaik, but since
>>> RPMFusion does not use Fedora infrastructure, this seems not to be
>>> possible. Also I did not found the typical RPM message about importing
>>> the GPG key that is usually displayed on my local mock builds in the
>>> RPMFusion build roots. Therefore I fear that the RPMs are not verified
>>> at all, but please don't let this be true.
>>
>> except for a answer about the default mock config, there was no reply to
>> this within two weeks. So I conclude that they are very likely not
>> verified and nobody cares, thats bad. :-(
>
> I would bet that a more likely conclusion is that few people have access to
> the buildsys, and those that do are very busy ;)
Indeed they are. Just took a quick look at my own builder (which I
didn't actually set up, but I have access to). It isn't set to check
gpg sigs on packages. But it only pulls packages from known/trusted
mirrors (i.e., my own local one and the main rpmfusion ones).
--
Jarod Wilson
jarod at wilsonet.com
More information about the rpmfusion-developers
mailing list