[Rpm-maint] [rpm-software-management/rpm] [RFE] Provide a way to store checksum of sources in .spec file (#570)
Vít Ondruch
notifications at github.com
Thu Oct 11 06:22:47 UTC 2018
Coming from this \[[1]\] discussion, I think it would be nice if .spec file could store checksum of sources used to build the package.
Currently, using-dist git, the hashes are stored in separate "sources" file. But there is no reason, why these checksums should not be stored directly in RPM. That would allow the tooling to actually download the sources from URL specified by SourceX tag and verify, that the file has the expected content (and get rid of "sources" file, which RPM does not know nothing about).
I can imagine downloading sources were not good idea when RPM came to live, but it would make things such as submitting rebase PRs, commiting just .spec file without need of uploading sources, etc easier these days.
There are several ways to do that I can think of, but not sure how feasible they are:
1) Provide new tag, such as:
~~~
Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
Checksum0: SHA512 = 2c8211ae5f1578502dc9b29babe7d03ec61f500b3c2dd309be2bbd34fd194abba29d95812e7dab4bfacda13e342323921663464bab4cbf4af0a198e8437233f4
~~~
But new tag probably means issues with backward compatibility.
2) Update "SourceX" tag to accept the hash, e.g.:
~~~
Source0: SHA512 (ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz) = 31bacf58469953282cd5d8b51862dcf4b84dedb927c1871bc3fca32fc157fe49187631575a70838705fe246f4555647577a7ecc26894445a7d64de5503dc11b4
~~~
Please note that the proposed format of the line is the same as the format of the line in current dist-git sources file.
3) Use "Provides" to simulate something like this? That would probably need least effort (or no effort on RPM side), but I can't see how this could become standard for all RPM based distros:
~~~
Provides: checksum(SHA512 (%{name}-%{version}.tar.gz) = 31bacf58469953282cd5d8b51862dcf4b84dedb927c1871bc3fca32fc157fe49187631575a70838705fe246f4555647577a7ecc26894445a7d64de5503dc11b4)
~~~
[1]: https://pagure.io/packaging-committee/issue/610#comment-534674
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/570
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20181010/d600b1d6/attachment.html>
More information about the Rpm-maint
mailing list