[Rpm-maint] [PATCH] Add RPMTAG_IDENTITY calculation as tag extension
Vladimir D. Seleznev
vseleznv at altlinux.org
Thu Apr 5 13:05:09 UTC 2018
On Thu, Apr 05, 2018 at 03:42:15PM +0300, Vladimir D. Seleznev wrote:
> On Thu, Apr 05, 2018 at 11:41:33AM +0300, Panu Matilainen wrote:
> > On 04/03/2018 10:31 PM, Vladimir D. Seleznev wrote:
> > > RPMTAG_IDENTITY is calculating as digest of part of package header that
> > > does not contain irrelevant to package build tag entries.
> > >
> > > Mathematically RPMTAG_IDENTITY value is a result of function of two
> > > variable: a package header and an rpm utility, thus this value can
> > > differ for same package and different version of rpm.
> > >
> >
> > Before proceeding with further work on this, we need to define what is
> > it that we're trying to identify. The above definition is very
> > ambiguous, and it's impossible to properly review + discuss the patch
> > when my idea of package identity might be entirely different from
> > somebody elses idea, that'll only cause unnecessary work and frustration.
>
> Agree, that commit message isn't clear.
I agree.
> > Starting with, what is a "package"? Are we talking about the source
> > package, or binary packages?
>
> Originally it was about binary packages, but is there really difference?
> Source packages are building as well as binary, and something can be
> changed after rebuild.
>
> > If it's binaries, then we're always ultimately talking about a *build*,
> > and a line needs to be drawn somewhere.
>
> OK.
>
> > There are any number of ways to draw such a line, so it needs to be
> > explicitly stated. One example of such line could be something like
> > "package id must match between a package built on different instances
> > of the same operating system, version and architecture". That clearly
> > is NOT the line that this version of the patch tries to draw, but then
> > it's not at all clear to me what that line is supposed to be.
>
> I think, there should be a line with other side idea: if package
> identity is matched between package build on the same build environment,
> then the build is reproducible.
>
> The possible new version of commit massage is below:
>
> Add RPMTAG_IDENTITY calculation as tag extension
>
> RPMTAG_IDENTITY is calculating as digest of values of significant
> package header tag entries and represents package build characteristics.
> The main purpose of package identity is reproducible build verification:
> if package identity is matched between package build on same build
> environment, then the package build is reproducible for this
> environment.
--
With best regards,
Vladimir D. Seleznev
More information about the Rpm-maint
mailing list