[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Neal Gompa (ニール・ゴンパ) notifications at github.com
Fri Mar 20 14:04:07 UTC 2020


> but now thinking about this again, what is the problem with the `sources` file in dist-git? It already contains checksums.

We cannot rely on this file if we want rpm to be able to auto-download sources with any degree of confidence.

Per the comment in the macros.in file:

```rpm-spec
#
# Should rpm try to download missing sources at build-time?
# Enabling this is dangerous as long as rpm has no means to validate
# the integrity of the download with a digest or signature.
%_disable_source_fetch 1
```

This was the rationale for my filing #1126...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-601717189
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20200320/6fada99a/attachment.html>


More information about the Rpm-maint mailing list