Dennis Gilmore <dennis(a)ausil.us> wrote:
Today We rely on you as a packager
verifying the sources, and by uploading them directly you are saying
this is really what I intended to send you and I have ensured that it
is good. You would need to work with release engineering and
infrastucture to come up with some way to sign off on the code being
used.
Like maybe writing a hash of the tarball in the sources file (with some
help from fedpkg perhaps) and checking that in? Then a server in the
Fedora Project infrastructure could fetch the tarball from the Source
URL in the spec and verify that it matches the hash.
Björn Persson