[Rpm-maint] [rpm-software-management/rpm] RFE: read sources checksums from the SPEC file and verify them (#463)
Tomasz Kłoczko
notifications at github.com
Fri Jul 14 11:08:09 UTC 2023
> I think that makes it really tricky with ordering (is it applying to the next source or the previous one? and what if there are conditionals around source lines?). imho really not very intuitive as it is very context dependent.
Currentpy you can use:
```spec
Source: file1
Source: file2
.
.
```
and rpm automatically numbers those Source internally.
So in above scenario ..
```spec
Source: file1
Source: file2
SourceCSum: sha256://<checksum1>
SourceCSum: sha256://<checksum2>
```
Would be instantly equivalent of:
```spec
Source0: file1
Source1: file2
SourceCSum0: sha256://<checksum1>
SourceCSum1: sha256://<checksum2>
```
Using `<csum_algh>://<checksum>` could allow as well use for example something like `github://verified` which could retrieve verified sign out of released/tagged Source: (and Patch:) archives (patches generated out of commits) as well.
https://docs.github.com/en/authentication/troubleshooting-commit-signature-verification/checking-your-commit-and-tag-signature-verification-status
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-1635700929
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/463/1635700929 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230714/45677422/attachment-0001.html>
More information about the Rpm-maint
mailing list