[Rpm-maint] [PATCH] Add RPMTAG_IDENTITY calculation as tag extension

Vladimir D. Seleznev vseleznv at altlinux.org
Thu Apr 5 13:05:09 UTC 2018


On Thu, Apr 05, 2018 at 03:42:15PM +0300, Vladimir D. Seleznev wrote:
> On Thu, Apr 05, 2018 at 11:41:33AM +0300, Panu Matilainen wrote:
> > On 04/03/2018 10:31 PM, Vladimir D. Seleznev wrote:
> > > RPMTAG_IDENTITY is calculating as digest of part of package header that
> > > does not contain irrelevant to package build tag entries.
> > > 
> > > Mathematically RPMTAG_IDENTITY value is a result of function of two
> > > variable: a package header and an rpm utility, thus this value can
> > > differ for same package and different version of rpm.
> > > 
> > 
> > Before proceeding with further work on this, we need to define what is 
> > it that we're trying to identify. The above definition is very 
> > ambiguous, and it's impossible to properly review + discuss the patch 
> > when my idea of package identity might be entirely different from 
> > somebody elses idea, that'll only cause unnecessary work and frustration.
> 
> Agree, that commit message isn't clear.

I agree.

> > Starting with, what is a "package"? Are we talking about the source 
> > package, or binary packages?
> 
> Originally it was about binary packages, but is there really difference?
> Source packages are building as well as binary, and something can be
> changed after rebuild.
> 
> > If it's binaries, then we're always ultimately talking about a *build*, 
> > and a line needs to be drawn somewhere.
> 
> OK.
> 
> > There are any number of ways to draw such a line, so it needs to be
> > explicitly stated. One example of such line could be something like
> > "package id must match between a package built on different instances
> > of the same operating system, version and architecture". That clearly
> > is NOT the line that this version of the patch tries to draw, but then
> > it's not at all clear to me what that line is supposed to be.
> 
> I think, there should be a line with other side idea: if package
> identity is matched between package build on the same build environment,
> then the build is reproducible.
> 
> The possible new version of commit massage is below:
> 
> Add RPMTAG_IDENTITY calculation as tag extension
> 
> RPMTAG_IDENTITY is calculating as digest of values of significant
> package header tag entries and represents package build characteristics.
> The main purpose of package identity is reproducible build verification:
> if package identity is matched between package build on same build
> environment, then the package build is reproducible for this
> environment.

-- 
   With best regards,
   Vladimir D. Seleznev


More information about the Rpm-maint mailing list