[Rpm-maint] [rpm-software-management/rpm] Deal with SOURCEPKGID, PKGID and HDRID (Issue #3330)

[Panu Matilainen]

pmatilai left a comment (rpm-software-management/rpm#3330)

The TLDR version of this comes down to:

> PKGID and SOURCEPKGID bind an src.rpm and a binary created in the same build together.

On the outset, this seems like an useful binding to have. But is this something anybody at all cares about? 

Distros only store one version of src.rpm for all the architectures, so for the vast majority of binary packages out there a corresponding src.rpm simply does not exist at all, so the binding is completely moot. Another issue with this is that using the header checksum as a binding id forces it to be in the signature header, which in turn means its unsigned and thus trivially breakable. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3330#issuecomment-2678193196
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3330/2678193196 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250224/fee8ccf6/attachment-0001.htm>