[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Коренберг Марк notifications at github.com
Mon Jul 26 12:51:16 UTC 2021


I want rpmlint to fight against packagers who unintentionally put wrong archives. Yes, I trust github, so I want rpmlint to download from github, i.e.
1. unpack .srpm
2. remove archives that are expected to be from github
3. run something like `rpmbuild --undefine=_disable_source_fetch --define '_sourcedir XXX' -ba *.spec`
4. compare `sha256sum($file_in_srpm)` and `sha256sum($downloaded_file)`

Github is trusted because of git (i.e. block-chain) that is hard to fake without other able to notice. I mean history rewriting.

I don't see any real cases where specifying sha256sum inside spec-file could help. Just suppose, stupid developer has got .tar.gz from wrong branch or so, calculated it and put to the .spec file. Comparing checksums will show everything is OK, but actually data does not correspond to URL. I think, silent data corruption is not a case we should care of.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-886674548
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210726/d7d5b968/attachment.html>


More information about the Rpm-maint mailing list