Disable source fetch on build by default (for now) + comment

- We need to grow some digest (and why not external signature as well)
  validation mechanism before we can let rpmbuild download + execute
  arbitrary content from the internet, at least by default.

diff --git a/macros.in b/macros.in
index 6034721..7919461 100644 (file)
--- a/macros.in
+++ b/macros.in
@@ -387,6 +387,12 @@ package or when debugging this package.\
 %_binaries_in_noarch_packages_terminate_build  1
 
 #
+# Should rpm try to download missing sources at build-time?
+# Enabling this is dangerous as long as rpm has no means to validate
+# the integrity of the download with a digest or signature.
+%_disable_source_fetch 1
+
+#
 # Program to call for each successfully built and written binary package.
 # The package name is passed to the program as a command-line argument.
 #