[Rpm-maint] [rpm-software-management/rpm] Reproducible builds improvements (Discussion #2934)

Zbigniew Jędrzejewski-Szmek notifications at github.com
Thu Feb 29 12:10:47 UTC 2024


I don't think that a custom "rpmhash" tool is the problem. We have to "trust" the tools anyway… A tool that deletes signatures is as much an opaque binary as the tool that calculates some hash.

I think it would a reasonable compromise to say that the hypothetical "rpmhash" tool must give a result that is identical to delsign+sha256sum. The problem is to agree on what exactly is stripped and/or skipped in the hash.

FWIW, I've been going through Fedora rebuilds over the last few days, and there is clear value in having BUILDHOST set to a non-fake value. For example in https://bugzilla.redhat.com/show_bug.cgi?id=2266767#c4, if it was very helpful in diagnosing an arch-specific issue in a noarch package.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2934#discussioncomment-8630015
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/2934/comments/8630015 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240229/893618c0/attachment.html>


More information about the Rpm-maint mailing list