I have recently suggested to remove the complex machinery used to build upstream unsigned RPMs from git. My assumption was that nobody is using it. However Shawn replied to the PR that many people are using it.

I wanted to open a more formal discussion about this. Personally I still feel like the complexity is too great for a very limited value we get out of unsigned RPMs that are not part of any repository.

Of course we will keep building SSG for RHEL, Fedora and other distros. We do this using a completely separate set of scripts and spec files.

Most of the arguments are in the GitHub PR itself and if you have something to add please reply to the pull request to keep everything in one place.

https://github.com/OpenSCAP/scap-security-guide/pull/1520