[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

[Neal Gompa (ニール・ゴンパ)]

In Fedora, we're considering having sources auto-fetched and uploaded to the lookaside cache as part of accepting PRs for package updates, but to make this straightforward, we'd want this to be in the spec file so that we know we're downloading what we're supposed to.

Something along the lines of `SourceN(<checksum-type>): <checksum-hash>` (and similar for `PatchN`, of course) was what I'm thinking of.

There's some prior art here in other package management solutions that influenced this idea. For example, Arch and Alpine both let you specify a source URL and specify checksums to validate this, as does Solus' ypkg YAML format.

For example, [the Arch PKGBUILD for `rpm-tools`](https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/rpm-tools) has the following snippet:

```shell
source=(http://ftp.rpm.org/releases/rpm-$_base_pkgver/rpm-$pkgver.tar.bz2
	rpmextract.sh
        rpmlib-filesystem-check.patch)
sha256sums=('ddef45f9601cd12042edfc9b6e37efcca32814e1e0f4bb8682d08144a3e2d230'
            '3e5bf450d4628366ba35469ec0530a99cd09ab2616a3d261a3f68270f481f777'
            'bd0e6dbd458f990268c60324190c6825b234647ecdde08296d2b453dc4bce27a')
```

And [Solus' ypkg YAML for `rpm`](https://dev.getsol.us/source/rpm/browse/master/package.yml) does something similar:

```yaml
source     :
- https://github.com/rpm-software-management/rpm/archive/rpm-4.14.2.1-release.tar.gz : 92cab9da7524cf4e4abf33f160cdfb9e63fe021bc7133f97735f70cdec777400
```



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-601711727
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200320/4c3a04b4/attachment-0001.html>