[Rpm-ecosystem] Reproducible Builds

Neal Gompa ngompa13 at gmail.com
Fri Mar 4 18:30:45 UTC 2016

On Fri, Mar 4, 2016 at 11:01 AM, Nicolas Vigier <boklm at mars-attacks.org> wrote:
> On Tue, 01 Mar 2016, Neal Gompa wrote:
>> One important aspect that would make reproducible builds more
>> trustworthy in the RPM world would be some capability to indicate
>> checksums for sources and patches so that rpmbuild can verify them.
>> Debian already does this in the Debian Source Control (dsc) file, as
>> seen by this example[1]. Without some way to introduce build-time
> The equivalent of the Debian Source Control file is the src.rpm file,
> which includes all the sources.
>> verification of sources independent of a build system, it'd be hard to
>> reliably test in a simple manner that the inputs are what you expect
>> them to be. This is really more important during the srpm creation
>> stage, as that's when the archives and patches are bundled into a
>> unified source archive that can be used by anything (including mock)
>> to build packages.
> If you are using some tool to generate your src.rpm files, then this
> tool could verify the files it includes in the srpm.
> In Fedora the 'fedpkg' tool is doing that with the 'sources' file I
> think.

This is not true when you have some packages with the NoSource attribute set.

With NoSource set for some Sources, they don't get packed into the
Source RPM, meaning we need something to verify them again and again.

真実はいつも一つ!/ Always, there's only one truth!

More information about the Rpm-ecosystem mailing list