[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Jeff Johnson notifications at github.com
Sat Jul 14 19:22:06 UTC 2018


I should point out that there is a very simple solution for copr (and perhaps other build systems) that do not wish to use the existing digest (and package signature) mechanisms in SRPMs:

Use git (or other VCS) for the local cache of virgin sources used by rpmbuild.

If the local cache used git (or other VCS), you would also achieve:

* a historical log of cache operations
* referential integrity (by checking out on a tag or git id), that is useful when there are different versions of identically named tar balls.

Git (or other VCS) would provide integrity checks without the need to reimplement digest checking and specfile editing in an alternative duplicated manner inRPM.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-405044317
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180714/9ec9477a/attachment.html>


More information about the Rpm-maint mailing list