Verify upstream sources with GPG
This is now a recommended thing to do: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification Regardless if it adds actual security, it should prevent problems like this one: https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/
This commit is contained in:
Miro Hrončok
parent
e0704196d3
commit
853a0fc587
3 changed files with 11548 additions and 1 deletions
|
|
@ -159,6 +159,7 @@ BuildRequires: gdbm-devel
|
|||
BuildRequires: glibc-all-langpacks
|
||||
BuildRequires: glibc-devel
|
||||
BuildRequires: gmp-devel
|
||||
BuildRequires: gnupg2
|
||||
BuildRequires: libappstream-glib
|
||||
BuildRequires: libffi-devel
|
||||
BuildRequires: libnsl2-devel
|
||||
|
|
@ -209,7 +210,9 @@ BuildRequires: python%{pyshortver}
|
|||
# Source code and patches
|
||||
# =======================
|
||||
|
||||
Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
|
||||
Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
|
||||
Source1: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz.asc
|
||||
Source2: %{url}static/files/pubkeys.txt
|
||||
|
||||
# A simple script to check timestamps of bytecode files
|
||||
# Run in check section with Python that is currently being built
|
||||
|
|
@ -570,6 +573,7 @@ version once Python %{pybasever} is stable.
|
|||
# ======================================================
|
||||
|
||||
%prep
|
||||
%gpgverify -k2 -s1 -d0
|
||||
%setup -q -n Python-%{upstream_version}
|
||||
# Remove all exe files to ensure we are not shipping prebuilt binaries
|
||||
# note that those are only used to create Microsoft Windows installers
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue