Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1272235

Summary: Review Request: distribution-gpg-keys - Keys of various Linux distributions
Product: [Fedora] Fedora Reporter: Miroslav Suchý <msuchy>
Component: Package ReviewAssignee: Zbigniew Jędrzejewski-Szmek <zbyszek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: carl, e, package-review, samuel-rhbugs, zbyszek
Target Milestone: ---Flags: zbyszek: fedora-review+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-10 02:52:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Suchý 2015-10-15 19:57:50 UTC 
Spec URL: http://miroslav.suchy.cz/fedora/distribution-gpg-keys.spec
SRPM URL: http://miroslav.suchy.cz/fedora/distribution-gpg-keys-1.1-1.fc22.src.rpm
Description: 
GPG keys used by various Linux distributions to sign packages.

Fedora Account System Username: msuchy
Comment 1 Zbigniew Jędrzejewski-Szmek 2015-10-16 00:13:53 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1246701 is about including more Fedora keys in fedora-repos.

There's also https://apps.fedoraproject.org/packages/archlinux-keyring for similar purpose.

I think it is very useful and increases security of various cross-distro installation. I wonder though whether not to remove Fedora and EPEL keys from this, since they will be included in fedora-repos, or maybe to add a check to make sure that they are identical in both packages.

Regarding packaging:
- why not use a github tarball directly? It's much nicer than to force a git clone and additional steps.

- GPL, seriously? I'm all for GPL, but in this case CC-0 seems a much better choice. After all, this should be freely copied.
Comment 2 Miroslav Suchý 2015-10-16 07:46:23 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #1)
> https://bugzilla.redhat.com/show_bug.cgi?id=1246701 is about including more
> Fedora keys in fedora-repos.

Interresting. But still it will miss all others (centos/epel/rpmfusion...)
I can add those old keys too.

> I think it is very useful and increases security of various cross-distro
> installation. I wonder though whether not to remove Fedora and EPEL keys
> from this, since they will be included in fedora-repos, or maybe to add a
> check to make sure that they are identical in both packages.

bug 1246701 speaks just about old fedora keys, not about epel IIRC.

 
> Regarding packaging:
> - why not use a github tarball directly? It's much nicer than to force a git
> clone and additional steps.

Because github tarball checksum was not stable in past (not sure if this changed recently). Also the URL is changing nearly each year. At least the URL we should use as suggested by Fedora Guidelines.
And I do not use or create tar.gz at all. I just wrote
  tito --srpm
and it will craft (binary identical) tar.gz for me.

> - GPL, seriously? I'm all for GPL, but in this case CC-0 seems a much better
> choice. After all, this should be freely copied.

Good point. License changed to CC-0.

Spec URL: http://miroslav.suchy.cz/fedora/distribution-gpg-keys.spec
SRPM URL: http://miroslav.suchy.cz/fedora/distribution-gpg-keys-1.2-1.fc22.src.rpm
Comment 3 Zbigniew Jędrzejewski-Szmek 2015-10-16 23:19:34 UTC 
(In reply to Miroslav Suchý from comment #2)
> > I think it is very useful and increases security of various cross-distro
> > installation. I wonder though whether not to remove Fedora and EPEL keys
> > from this, since they will be included in fedora-repos, or maybe to add a
> > check to make sure that they are identical in both packages.
> 
> bug 1246701 speaks just about old fedora keys, not about epel IIRC.
Oh, right, fedora-repos is only about Fedora repos and keys.

> > Regarding packaging:
> > - why not use a github tarball directly? It's much nicer than to force a git
> > clone and additional steps.
> 
> Because github tarball checksum was not stable in past (not sure if this
> changed recently). Also the URL is changing nearly each year. At least the
> URL we should use as suggested by Fedora Guidelines.
> And I do not use or create tar.gz at all. I just wrote
>   tito --srpm
> and it will craft (binary identical) tar.gz for me.
The tarballs are stable, and are actually recommended by the guidelines.
https://fedoraproject.org/wiki/Packaging:SourceURL#Git_Tags
Comment 4 Zbigniew Jędrzejewski-Szmek 2015-10-16 23:24:09 UTC 
BTW, I think that this package is useful. It also meets packaging guidelines. I'll wait a few more days for the discussion on the mailing list to wind down though.
Comment 5 Zbigniew Jędrzejewski-Szmek 2015-10-22 17:15:49 UTC 
So... review is trivial.
- the source material is in the public domain
- name is fine
- packaging is OK
- rpmlint is happy.

Package is APPROVED.

Please consider using the github tarball as source.
Comment 6 Upstream Release Monitoring 2015-12-06 18:26:17 UTC 
pbrobinson's scratch build of linux-user-chroot?#b7afe5173cbd31b029b027b6f8a14baa5e6ce87a for epel7-archbootstrap and git://pkgs.fedoraproject.org/linux-user-chroot?#b7afe5173cbd31b029b027b6f8a14baa5e6ce87a failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12089939
Comment 7 Mike McCune 2016-03-28 23:47:57 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 8 Carl George 2018-07-10 02:52:32 UTC 
This has been available since https://bodhi.fedoraproject.org/updates/distribution-gpg-keys-1.3-1.fc22