fedora-installkey (install a key from keyserver into the fedora rpm keyring)
This would be a really good idea! Have you manage to be able to
script
the removal of all signatures from that key though, so you can export
a
keyfile that wont cause rpm to be b0rked?
I have signature removal scripted. However it isn't working. Removing all uid's and all signatures doesn't seem to work correctly, and I haven't been able to strip a key by hand successfully, so I'm stuck. I'd appreciate some help :)
fedora-qastart (download srpms+md5sums from bugzilla, verify them, verify sources using spectool, output prelimary qa checklist) fedora-qatemplate (create a qa template to paste fedora-qatest input into, gpg sign it, maybe submit it to bugzilla eventually too)
This would be tough, because there is currently no one standard way of putting it into bugzilla. Some people use the URL field, while others post a link to it in the comments, while others (unhappily) never
update
that link with package updates and I have to go fishing for it...
I'm somewhat successfully downloading stuff from bugzilla. I just download the bugzilla page source, and look for "http://.*%5C.src%5C.rpm" and "http://$1.*md5.*". For the stuff I've tried, it works well. This way it only catches clickable links. If we want it to catch url field entries as well, it wouldn't be a difficult change.
I'm sure there are some entries that will confuse it, but they could be coded around.
I'd say we should just make a format that we expect .src.rpm and md5sum announcements in, and ask people to conform to that. I think quick and effective QA will be sufficient incentive.
The stuff I have is available at http://www.ilsw.com/~erik/ if anyone is interested.
--erik
On Wed, 10 Mar 2004 14:55:26 -0500, Erik LaBianca wrote:
I'd say we should just make a format that we expect .src.rpm and md5sum announcements in, and ask people to conform to that. I think quick and effective QA will be sufficient incentive.
For average size packages, MD5 checksums and GPG signatures are not needed at all. The included tarball and maybe 1-2 patches can and must be verified. Signatures get important for large packages, which include lots of patches, for instance.