Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
On 2012-07-17 17:47:07 +0200, Marcus Meissner wrote:
On Tue, Jul 17, 2012 at 05:31:40PM +0200, Marcus Hüwe wrote:
Hi,

some days ago darix and I had a small discussion about verifying the
integrity of the downloaded packages which are used for local builds.
The idea is that we add a checksum for each package to the buildinfo
xml so that a client/osc can "easily" check if the downloaded file is
corrupted.
For instance we could add the hdrmd5 to buildinfo (this would require
only a small change in the backend) or alternatively we add the md5
of the whole package to the buildinfo (this would probably require
a bigger change in the backend). The advantage of the latter is that
it is much easier to verify for the client (but then I don't think
there are many clients which deal with the buildinfo at all...).

Any opinions?:)

I thought there is RPM key checking done already? At least
it asks me for the keys..

This could be reused for this.

Yes currently osc checks the rpm signature but this is only true for
rpms. We cannot verify the integrity for deb packages or arch
packages. Thus it would help if we have some hash value which
can be used for checking the package (or in case of the hdrmd5 that
at least some "parts" of the downloaded file are correct).

Also the current rpm key checking just "assures" integrity of the
package - nothing more (IMHO because we just download a key from the
api and check the rpm).


Marcus
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups