[Rpm-ecosystem] Reproducible Builds

Nicolas Vigier boklm at mars-attacks.org
Fri Mar 4 16:01:02 UTC 2016

On Tue, 01 Mar 2016, Neal Gompa wrote:

> One important aspect that would make reproducible builds more
> trustworthy in the RPM world would be some capability to indicate
> checksums for sources and patches so that rpmbuild can verify them.
> Debian already does this in the Debian Source Control (dsc) file, as
> seen by this example[1]. Without some way to introduce build-time

The equivalent of the Debian Source Control file is the src.rpm file,
which includes all the sources.

> verification of sources independent of a build system, it'd be hard to
> reliably test in a simple manner that the inputs are what you expect
> them to be. This is really more important during the srpm creation
> stage, as that's when the archives and patches are bundled into a
> unified source archive that can be used by anything (including mock)
> to build packages.

If you are using some tool to generate your src.rpm files, then this
tool could verify the files it includes in the srpm.

In Fedora the 'fedpkg' tool is doing that with the 'sources' file I

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.rpm.org/pipermail/rpm-ecosystem/attachments/20160304/d24aeb00/attachment.asc>

More information about the Rpm-ecosystem mailing list