[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Jeff Johnson notifications at github.com
Fri Jul 13 18:38:46 UTC 2018


Several points:

* Maintaining digests in spec files -- if mandatory -- adds a great deal of gratuitous cut-n-paste tedium to package building/management for little real purpose. Does anyone ever vet the contents of a tar ball before putting its digest into recipe metadata?

* SRPMs in rpm -- unlike arch/Gentoo/homebrew/macports/*bsd -- already include (and verify) both digests (and signatures) when unpacking preparing for a build. SRPMs are often the starting point for a build, unlike other systems which rely on upstream access through downloads, where MitM is a more significant risk.

* Most rpm based build systems -- presumably color as well -- maintain a local cache of upstream sources. Adding digests to the cache would be far easier than adding to a spec file.

That being said ... RPM5 has an implementation to verify digest (and plaintext signatures) on both sources and patches that has perhaps a better syntax than your suggestion, implemented as a probe dependency primitive used like

BuildRequires: digest(%SOURCE0) = 1234567812345678

(There is a means to specify the digest algo as well, just forgot what is implemented)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-404918300
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180713/9425a657/attachment.html>


More information about the Rpm-maint mailing list