[Rpm-ecosystem] Reproducible Builds
davejohansen at gmail.com
Tue Mar 1 19:48:43 UTC 2016
On Tue, Mar 1, 2016 at 12:20 PM, Neal Gompa <ngompa13 at gmail.com> wrote:
> On Tue, Mar 1, 2016 at 11:27 AM, Miroslav Suchy <msuchy at redhat.com> wrote:
> > Dne 1.3.2016 v 17:18 Neal Gompa napsal(a):
> > Isn't this equivalent of dist-git? Sans the signature. But if you do
> > signed tag in dist-git then you will have all the information as Debian
> > has in dsc file.
> That's true, but what about the case where people don't have a
> dist-git? There are definitely environments where people are using
> CVS, SVN, or even nothing at all. I know for at least a few
> distributions that are not built using an SCM.
> Also, since we can use tools like spectool to retrieve sources/patches
> that have URLs, having tags in the spec with checksum information
> means that those tools can use that information to check the
Aside from revision control and the current Fedora system for doing builds,
it would be nice if the .spec and/or source .rpm had verifiable hashes of
what the original/intended content is. My understanding is that a nefarious
agent could easily replace a patch or source tarball in a source .rpm and
then there's no way to detect that that happened.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rpm-ecosystem