[Rpm-maint] [PATCH 2/2] Add RPMTAG_IDENTITY

[Vladimir D. Seleznev]

On Wed, Mar 14, 2018 at 10:20:58AM -0400, Jeff Johnson wrote:
> 
> Afaict, RPMTAG_IDENTITY is an attempt at a reproducible invariant of a
> package header through rebuilding, which is poisoned by a
> RPMTAG_BUILDTIME tag (and likely file stat(2) info) being included in
> the header SHA1 (or SHA256) plaintext.

So there is black list filter for tags while identity calculation.

> Note also changes in current rpm to pass in a BUILDTIME to preserve
> reproducibility.
> 
> There are huge legacy compatibility problems committing to a
> precomputed static value in a header: consider what happens if/when
> the plaintext definition needs to change.

Sorry, I don't understand this part: what precomputed static value do
you mean?

> I'd suggest using a header tag extension rather than a retrieved value
> so that the plaintext definition can be more easily managed.
> 
> I'd also suggest a more specific name than IDENTITY because there are
> many definitions of reproducibility, as well as alternative schemes
> like building, and there are surely going to be multiple attempts to
> Get It Right! that make IDENTITY a misnomer.

This tag is not only about reproducibility, it supposes to represent
package build result identity, so we can differentiate one build from
another from one source package (with same NEVR) if there are
significant difference, such as different rundeps, generated binary
files, different filelist that packaged to the files, etc. One benefit
of this is reproducible build proof, second one is that we can use value
from this tag to generate more strict intersubpackage deps, so we can
use these for binary package rebuild without release upping (in case new
SONAME buildreq or new compiler).

We couldn't think of better tag name (you can propose a better name).

-- 
   With best regards,
   Vladimir D. Seleznev