[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)
Dirk Mueller
notifications at github.com
Fri Jul 14 09:24:14 UTC 2023
Unfortunately the suggested format of `Source(sha256): format` is not backward compatible with older rpm releases, and having the checksum as an extra tag (with autonumbering) and if conditions could be error prone and tricky. so @mlschroe came up with an alternative proposal:
```
Source sha256(<checksum>): https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
Source42 sha256(<checksum>) : https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
```
This works with old rpms and can be parsed easily with a patch (working on it at the moment). The only downside I see is that with sha256 the source lines get relatively long (at least 80 characters), but I personally can live with that..
An alternative syntax that builds upon another exploitable trick we use in SUSE spec files for a while already is this:
```
Source: https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz#sha256:<checksum>/%{name}-%{version}.tar.gz
```
This works as well because rpm parses only after the last '/', and the download code is ignoring the fragment part.
any opinions on which way to go?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-1635569863
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/463/1635569863 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230714/eb0b2425/attachment.html>
More information about the Rpm-maint
mailing list