[Rpm-maint] [rpm-software-management/rpm] install-time data API (Discussion #3874)
Hank Donnay
notifications at github.com
Thu Jul 31 21:09:11 UTC 2025
In 82549e30cafe352e4c83205d4dbe3be78b53c2a7, @pmatilai wrote:
> Not used here but this shall serve as a generic mechanism to store
> auxiliary data into packages at install time. Auxiliary here means
> any data that is not contained in the package file.
>
> There are various depsolver use-cases that have been waiting for such
> a facility for ages, but before opening this for public use it'll need
> additional safeguards to prevent malicious use. Hence this is internal
> only for now, to be used in the next commit.
and then in 43eb8e8779145a3338db4a1e2c3d9bf6f8a20e2d, explained the use:
> It can be hard to reliably map packages in repositories to installed
> packages because the common repodata format only stores package-level
> checksums, whereas packages themselves cannot contain such a checksum
> for obvious reasons. The NEVRA information is nowhere near enough to
> uniquely identify a package. Technically of course, the repodata could
> be extended to carry header checksums but it seems that format is next
> to impossible to change, so...
>
> Having rpm calculate and store a configurable set of hashes has the
> benefit of serving as a cross-check that the package we installed was
> bit-per-bit identical to what was in the repository, even after the fact.
I have a similar use case (#3503) that would make use of being able to add install-time data about packages. To that end, the questions I have are:
- What are the malicious concerns and corresponding safeguards?
- Are there API footguns around a superset of `rpmtsAddInstallElement` that adds a `Header aux` argument?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/3874
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/repo-discussions/3874 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250731/1b5c2dc5/attachment.htm>
More information about the Rpm-maint
mailing list