[Rpm-ecosystem] Reproducible Builds

Dave Johansen davejohansen at gmail.com
Tue Mar 1 19:48:43 UTC 2016

On Tue, Mar 1, 2016 at 12:20 PM, Neal Gompa <ngompa13 at gmail.com> wrote:

> On Tue, Mar 1, 2016 at 11:27 AM, Miroslav Suchy <msuchy at redhat.com> wrote:
> > Dne 1.3.2016 v 17:18 Neal Gompa napsal(a):
> > Isn't this equivalent of dist-git? Sans the signature. But if you do
> > signed tag in dist-git then you will have all the information as Debian
> > has in dsc file.
> That's true, but what about the case where people don't have a
> dist-git? There are definitely environments where people are using
> CVS, SVN, or even nothing at all. I know for at least a few
> distributions that are not built using an SCM.
> Also, since we can use tools like spectool to retrieve sources/patches
> that have URLs, having tags in the spec with checksum information
> means that those tools can use that information to check the
> sources/patches.

Aside from revision control and the current Fedora system for doing builds,
it would be nice if the .spec and/or source .rpm had verifiable hashes of
what the original/intended content is. My understanding is that a nefarious
agent could easily replace a patch or source tarball in a source .rpm and
then there's no way to detect that that happened.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-ecosystem/attachments/20160301/5f5f6790/attachment-0001.html>

More information about the Rpm-ecosystem mailing list