[Rpm-maint] [PATCH] Add RPMTAG_IDENTITY calculation as tag extension

Vladimir D. Seleznev vseleznv at altlinux.org
Mon Apr 9 13:47:25 UTC 2018


On Thu, Apr 05, 2018 at 05:18:14PM -0400, Jeff Johnson wrote:
> 
> 
> > On Apr 5, 2018, at 4:41 AM, Panu Matilainen <pmatilai at redhat.com> wrote:
> > 
> >> On 04/03/2018 10:31 PM, Vladimir D. Seleznev wrote:
> >> RPMTAG_IDENTITY is calculating as digest of part of package header that
> >> does not contain irrelevant to package build tag entries.
> >> Mathematically RPMTAG_IDENTITY value is a result of function of two
> >> variable: a package header and an rpm utility, thus this value can
> >> differ for same package and different version of rpm.
> > 
> 
> (aside)
> Can we move this discussion to the github issue? E-mail is
> increasingly painful for discussions ... I will provide some general
> ideas there.

https://github.com/rpm-software-management/rpm/issues/426

> > Before proceeding with further work on this, we need to define what
> > is it that we're trying to identify. The above definition is very
> > ambiguous, and it's impossible to properly review + discuss the
> > patch when my idea of package identity might be entirely different
> > from somebody elses idea, that'll only cause unnecessary work and
> > frustration.
> > 
> 
> Yup. However, IDENTITY as a proof-of-reproducibility is sufficient for
> discussion, though  there are many details about what the plaintext
> should be remain to be decided.
> 
> > Starting with, what is a "package"? Are we talking about the source
> > package, or binary packages?
> > 
> 
> Both binary/source, just different identities (unless one wants to use
> source IDENTITY to tie binary packages to a sufficiently similar class
> of "reproducible" source rpm's, in which case a dynamic IDENTITY will
> also have to be added into headers).
> 
> > If it's binaries, then we're always ultimately talking about a
> > *build*, and a line needs to be drawn somewhere. There are any
> > number of ways to draw such a line, so it needs to be explicitly
> > stated. One example of such line could be something like "package id
> > must match between a package built on different instances of the
> > same operating system, version and architecture". That clearly is
> > NOT the line that this version of the patch tries to draw, but then
> > it's not at all clear to me what that line is supposed to be.
> > 
> 
> I'll add other thoughts at the github issue for IDENTITY.

-- 
   With best regards,
   Vladimir D. Seleznev


More information about the Rpm-maint mailing list