[Rpm-maint] RFC: RPMTAG_IDENTITY calculation

Jeff Johnson n3npq at me.com
Thu Mar 29 19:07:21 UTC 2018



> On Mar 29, 2018, at 12:55 PM, Vladimir D. Seleznev <vseleznv at altlinux.org> wrote:
> 
> Hello, rpm-maint@!
> 
> There are RFC patches which implement RPMTAG_IDENTITY calculation.
> 
> The main idea is that RPMTAG_IDENTITY contains a hash of as many as possible,
> ideally all RPMTAGs, with exception of that that principally cannot be
> reproducible and that we don't want to make it reproducible. Another exception
> is for these tags that we want to use in certain cases, but only for these tags
> that aren't relevant to result of package build. So value of RPMTAG_IDENTITY is
> calculating by blacklist filtered tags for each package.
> 
> I didn't test the code on systems different from ALT, so I don't sure that it
> works on these systems properly. I also don't sure that black list is complete
> for other systems, these case also need to test.
> 
> Previously I wrote that RPMTAG_IDENTITY value will be used to generate more
> strict interpackage dependencies, but we turn away from it because identity of
> binary packages of two builds from one source package can be same for some
> packages and differ for others, and it brings collision for them.
> 

This isn't the best implementation for an IDENTITY proof-of-reproducibility implementation.

While I understand that you followed the header SHA1 code path, filtering out tags that were too specific, in order to add an IDENTITY tag in rpmbuild, header.c is just not the right place to hard wire the definition of what tags to include, nor is there any reason to include the IDENTITY within a package header, largely because that forces a package rebuild (a very expensive operation) in order to populate tag values.

The better implementation uses a tag extension (in lib/tagexts.c) using a header tag iterator with filtering to retrieve the tag values you wish in the IDENTITY plaintext.
The reason to calculate IDENTITy dynamically is the ease with which a proof-of-reproducibility can be deployed everywhere, not just in ALT.

Please open an issue to discuss IDENTITY as a header tag extension if you would like to proceed in that direction.

73 de Jeff
> _______________________________________________
> Rpm-maint mailing list
> Rpm-maint at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-maint


More information about the Rpm-maint mailing list