[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)
Neal Gompa (ニール・ゴンパ)
notifications at github.com
Fri Mar 20 14:04:07 UTC 2020
> but now thinking about this again, what is the problem with the `sources` file in dist-git? It already contains checksums.
We cannot rely on this file if we want rpm to be able to auto-download sources with any degree of confidence.
Per the comment in the macros.in file:
```rpm-spec
#
# Should rpm try to download missing sources at build-time?
# Enabling this is dangerous as long as rpm has no means to validate
# the integrity of the download with a digest or signature.
%_disable_source_fetch 1
```
This was the rationale for my filing #1126...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-601717189
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200320/6fada99a/attachment.html>
More information about the Rpm-maint
mailing list