[Rpm-ecosystem] Reproducible Builds

Miroslav Suchy msuchy at redhat.com
Tue Mar 1 16:27:55 UTC 2016


Dne 1.3.2016 v 17:18 Neal Gompa napsal(a):
> One important aspect that would make reproducible builds more
> trustworthy in the RPM world would be some capability to indicate
> checksums for sources and patches so that rpmbuild can verify them.
> Debian already does this in the Debian Source Control (dsc) file, as
> seen by this example[1]. Without some way to introduce build-time
> verification of sources independent of a build system, it'd be hard to
> reliably test in a simple manner that the inputs are what you expect
> them to be. This is really more important during the srpm creation
> stage, as that's when the archives and patches are bundled into a
> unified source archive that can be used by anything (including mock)
> to build packages.
> 
> [1]: http://debian.csail.mit.edu/debian/pool/main/r/rpm/rpm_4.12.0.1+dfsg1-3.dsc

Isn't this equivalent of dist-git? Sans the signature. But if you do
signed tag in dist-git then you will have all the information as Debian
has in dsc file.

Mirek


More information about the Rpm-ecosystem mailing list