#5586: Block fedora-usermgmt in rawhide.
-----------------------------+------------------------
Reporter: limb | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 19 Alpha | Component: koji
Keywords: | Blocked By:
Blocking: |
-----------------------------+------------------------
All packages using it have been migrated to guideline scriptlets.
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5586>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project
#5585: Separate checksum file and signature to avoid incorrect usage (warnings)
-----------------------------+------------------------
Reporter: shaiton | Owner: rel-eng@…
Type: task | Status: new
Milestone: Fedora 19 Alpha | Component: koji
Keywords: | Blocked By:
Blocking: |
-----------------------------+------------------------
The actual procedure to test downloads is:
https://fedoraproject.org/verify
The signature is inside the checksum file.
Which results in the following Warnings that could be miss read:
{{{
sha256sum: WARNING: 20 lines are improperly formatted
sha256sum: WARNING: 7 listed files could not be read
}}}
There is two ways to avoid that:
* Forcing people to check the sig by downloading the checksum.asc file,
checking it with gpg, then run sha256 to check the output file.
* Using a detached signature to make it faster for people that does not
want to check the sig (and import it). The first solution could be used
that way if we use clear-sig.
Therefore, the idea would be to go for first solution. One would check the
ISO by:
* importing the Fedora signature: `curl
https://fedoraproject.org/static/fedora.gpg | gpg --import`
* downloading the checksum.asc file that would have been created with `gpg
-s --clearsign checksum` for example.
* checking the sig and exporting the checksum file `gpg checksum.asc`
* doing the checksum test: `sha256sum -c checksum`
The following process for people just wanting to check the file without
the sig will just be dowloanding the ISO, computing the checksum manually
on the file, and comparing the output manually on the online clear
signature file.
We will still have the warning for missing files, but at least the "20
lines are improperly formatted" will be dropped and won't afraid people
anymore.
--
Ticket URL: <https://fedorahosted.org/rel-eng/ticket/5585>
Fedora Release Engineering <http://fedorahosted.org/rel-eng>
Release Engineering for the Fedora Project