[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)

Dirk Mueller notifications at github.com
Fri Jul 14 09:24:14 UTC 2023


Unfortunately the suggested format of `Source(sha256): format` is not backward compatible with older rpm releases, and having the checksum as an extra tag (with autonumbering) and if conditions could be error prone and tricky. so @mlschroe came up with an alternative proposal:

```
Source sha256(<checksum>):         https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
Source42   sha256(<checksum>)  :         https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
```

This works with old rpms and can be parsed easily with a patch (working on it at the moment). The only downside I see is that with sha256 the source lines get relatively long (at least 80 characters), but I personally can live with that..

An alternative syntax that builds upon another exploitable trick we use in SUSE spec files for a while already is this:

```
Source:  https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz#sha256:<checksum>/%{name}-%{version}.tar.gz
```

This works as well because rpm parses only after the last '/', and the download code is ignoring the fragment part. 

any opinions on which way to go? 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-1635569863
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/463/1635569863 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230714/eb0b2425/attachment.html>


More information about the Rpm-maint mailing list