From fb3afcbff7dd4e7a79869f3cd835f533527792c6 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 7 Mar 2012 13:40:08 +0200
Subject: [PATCH] Disable source fetch on build by default (for now) + comment

- We need to grow some digest (and why not external signature as well)
  validation mechanism before we can let rpmbuild download + execute
  arbitrary content from the internet, at least by default.
---
 macros.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/macros.in b/macros.in
index 6034721..7919461 100644
--- a/macros.in
+++ b/macros.in
@@ -387,6 +387,12 @@ package or when debugging this package.\
 %_binaries_in_noarch_packages_terminate_build	1
 
 #
+# Should rpm try to download missing sources at build-time?
+# Enabling this is dangerous as long as rpm has no means to validate
+# the integrity of the download with a digest or signature.
+%_disable_source_fetch 1
+
+#
 # Program to call for each successfully built and written binary package.
 # The package name is passed to the program as a command-line argument.
 #
-- 
2.7.4