[opensuse-factory] New policy proposal for Factory: Make source of tar balls trackable
Hi, I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer. Please find my proposal here: http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sour... And please drop some comments as reply to this mail :) thanks adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le lundi 21 mars 2011, à 10:00 +0100, Adrian Schröter a écrit :
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
If I read it right, this means we should stop recompressing tarballs from .gz to .bz2. No issue with that, just need to update some scripts to stop doing it ;-) Cheers, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Montag, 21. März 2011, 10:12:18 schrieb Vincent Untz:
Le lundi 21 mars 2011, à 10:00 +0100, Adrian Schröter a écrit :
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
If I read it right, this means we should stop recompressing tarballs from .gz to .bz2. No issue with that, just need to update some scripts to stop doing it ;-)
We could also add a an automatic from something to $policy recompression, if we want to. We just need to find a way to do this in a comparable way (no time stamps inside), but that should be possible. But I think we can also just stop doing the recompressiong, the use case that we need to keep source medias small is not important anymore IMHO, because we just point people to the src.rpm ftp tree these days and do not create CD/DVD medias anymore. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Montag, 21. März 2011, 10:00:01 schrieb Adrian Schröter:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sou rce-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
thanks adrian
A lot of sources want to be bzipped after download because they are big gzip archives and rpmlint complains. How should I do this with your download service? -- Ralf Lang Linux Consultant / Developer B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Montag, 21. März 2011, 10:38:11 schrieb Ralf Lang:
Am Montag, 21. März 2011, 10:00:01 schrieb Adrian Schröter:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sou rce-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
thanks adrian
A lot of sources want to be bzipped after download because they are big gzip archives and rpmlint complains. How should I do this with your download service?
Either we need to add an automatic recompression or we drop this policy (and rpmlint check). bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 21 March 2011 10:39:02 Adrian Schröter wrote:
Am Montag, 21. März 2011, 10:38:11 schrieb Ralf Lang:
Am Montag, 21. März 2011, 10:00:01 schrieb Adrian Schröter:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make -sou rce-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
thanks adrian
A lot of sources want to be bzipped after download because they are big gzip archives and rpmlint complains. How should I do this with your download service?
Either we need to add an automatic recompression or we drop this policy (and rpmlint check).
Dropping would allow to compare source tarballs against checksums published upstream. -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com
Am Montag, 21. März 2011, 10:54:41 schrieb Sascha Peilicke:
On Monday 21 March 2011 10:39:02 Adrian Schröter wrote:
Am Montag, 21. März 2011, 10:38:11 schrieb Ralf Lang:
Am Montag, 21. März 2011, 10:00:01 schrieb Adrian Schröter:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make -sou rce-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
thanks adrian
A lot of sources want to be bzipped after download because they are big gzip archives and rpmlint complains. How should I do this with your download service?
Either we need to add an automatic recompression or we drop this policy (and rpmlint check).
Dropping would allow to compare source tarballs against checksums published upstream.
Yes, I am also in favor of that approach. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Mar 21, 2011 at 10:54:41AM +0100, Sascha Peilicke wrote:
On Monday 21 March 2011 10:39:02 Adrian Schröter wrote:
Am Montag, 21. März 2011, 10:38:11 schrieb Ralf Lang:
Am Montag, 21. März 2011, 10:00:01 schrieb Adrian Schröter:
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make -sou rce-of-tar-balls-trackable/
A lot of sources want to be bzipped after download because they are big gzip archives and rpmlint complains. How should I do this with your download service?
Either we need to add an automatic recompression or we drop this policy (and rpmlint check).
Dropping would allow to compare source tarballs against checksums published upstream.
If the upstream project follows this convention. But some projects don't. With Samba we have tar.gz files while we have a tar.asc and no tar.gz.asc file. This is mainly historical grown. And as this state is documented we consider it ok. Therefore I appreciate if we're able to handle this in a flexible way on the OBS side. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Mon, 21 Mar 2011, Adrian Schröter wrote:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sour...
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent
(how do you build such with just rpmbuild? Build once in OBS and then
download a source rpm?). Why not just provide tarball URL and MD5/SHA
checksum in the rpm spec file? I really do not like adding other
non-standard metadata ontop of what we already have.
OBS can then simply _verify_ the integrity of the local tarball
instead of downloading some random tarball from some random site
(you proposal does not add any way to ensure that the tarball
stays valid - consider somebody replacing the tarball upstream).
Re-downloading the tarball isn't such a check as we no longer would
provide a first known-good one.
Btw, I think we already discussed this topic enough so I'm sort-of
disappointed with that proposal.
Thanks,
Richard.
--
Richard Guenther
On Mon, 21 Mar 2011, Adrian Schröter wrote:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-s ource-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild? Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file? I really do not like adding other non-standard metadata ontop of what we already have. Actually, this is what I'd like to see too. However, AFAIK the download_url service already uses the URL found in the Source tag. Having that info
On Monday 21 March 2011 11:25:06 Richard Guenther wrote: directly in the spec file seems sanest: Source0: http://foo.com/bar.tgz Source0-MD5: 1234567 Source0-SHA1: 1234567
OBS can then simply _verify_ the integrity of the local tarball instead of downloading some random tarball from some random site (you proposal does not add any way to ensure that the tarball stays valid - consider somebody replacing the tarball upstream). Re-downloading the tarball isn't such a check as we no longer would provide a first known-good one. -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com
Sascha Peilicke wrote:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-s ource-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild? Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file? I really do not like adding other non-standard metadata ontop of what we already have. Actually, this is what I'd like to see too. However, AFAIK the download_url service already uses the URL found in the Source tag. Having that info
On Monday 21 March 2011 11:25:06 Richard Guenther wrote: directly in the spec file seems sanest:
Source0: http://foo.com/bar.tgz Source0-MD5: 1234567 Source0-SHA1: 1234567
RPM doesn't like unknown tags though. I'm not sure how the chances are to get a patch accepted that allows e.g. a X-vendor prefix. Fedora voids an rpm patch by having a separate file 'sources' that lists the file names and their check sums. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 21 March 2011 11:40:10 Ludwig Nussel wrote:
Sascha Peilicke wrote:
On Monday 21 March 2011 11:25:06 Richard Guenther wrote:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-ma ke-s ource-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild? Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file? I really do not like adding other non-standard metadata ontop of what we already have.
Actually, this is what I'd like to see too. However, AFAIK the download_url service already uses the URL found in the Source tag. Having that info directly in the spec file seems sanest:
Source0: http://foo.com/bar.tgz Source0-MD5: 1234567 Source0-SHA1: 1234567
RPM doesn't like unknown tags though. I'm not sure how the chances are to get a patch accepted that allows e.g. a X-vendor prefix. Fedora voids an rpm patch by having a separate file 'sources' that lists the file names and their check sums. Or, as Michael suggested, one could use those RPM notations:
#!Source0-MD5: 1234 or #!SourceChecksum0: md5(1234) -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com
Am Montag, 21. März 2011, 12:06:04 schrieb Sascha Peilicke:
On Monday 21 March 2011 11:40:10 Ludwig Nussel wrote:
Sascha Peilicke wrote:
On Monday 21 March 2011 11:25:06 Richard Guenther wrote:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-ma ke-s ource-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild? Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file? I really do not like adding other non-standard metadata ontop of what we already have.
Actually, this is what I'd like to see too. However, AFAIK the download_url service already uses the URL found in the Source tag. Having that info directly in the spec file seems sanest:
Source0: http://foo.com/bar.tgz Source0-MD5: 1234567 Source0-SHA1: 1234567
RPM doesn't like unknown tags though. I'm not sure how the chances are to get a patch accepted that allows e.g. a X-vendor prefix. Fedora voids an rpm patch by having a separate file 'sources' that lists the file names and their check sums. Or, as Michael suggested, one could use those RPM notations:
#!Source0-MD5: 1234
or
#!SourceChecksum0: md5(1234)
Yes, but this would be an additional check IMHO. It does not make much sense to track MD5 sums here IMHO, because that is also done anyway in the source history. But SHA256 or GPG key validation would make sense, if the upstream project has reliable sources. Esp. when we would build up a pool of trusted GPG keys already (where we validated that they come from upstream projects). bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Montag, 21. März 2011, 11:25:06 schrieb Richard Guenther:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sour...
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild?
In exact the same way.
Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file?
Exactly this is this proposal.
I really do not like adding other non-standard metadata ontop of what we already have.
OBS can then simply _verify_ the integrity of the local tarball instead of downloading some random tarball from some random site (you proposal does not add any way to ensure that the tarball stays valid - consider somebody replacing the tarball upstream). Re-downloading the tarball isn't such a check as we no longer would provide a first known-good one.
Btw, I think we already discussed this topic enough so I'm sort-of disappointed with that proposal.
Please read it ;) -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, 21 Mar 2011, Adrian Schröter wrote:
Am Montag, 21. März 2011, 11:25:06 schrieb Richard Guenther:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sour...
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild?
In exact the same way.
Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file?
Exactly this is this proposal.
I really do not like adding other non-standard metadata ontop of what we already have.
OBS can then simply _verify_ the integrity of the local tarball instead of downloading some random tarball from some random site (you proposal does not add any way to ensure that the tarball stays valid - consider somebody replacing the tarball upstream). Re-downloading the tarball isn't such a check as we no longer would provide a first known-good one.
Btw, I think we already discussed this topic enough so I'm sort-of disappointed with that proposal.
Please read it ;)
I did. It nowhere mentions spec files but only source services
and new kind of URLs.
Richard.
--
Richard Guenther
El 21/03/11 06:00, Adrian Schröter escribió:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-sour...
And please drop some comments as reply to this mail :)
I got two comments: - verify_file service doesnt seem to support gpg verification, this is IMHO a must. - quilt doesnt understand "source services" so quilt setup does not work anymore without copying the actual downloaded file without the _service:download prefix - There is no documentation on own to use tar_scm service or others from the osc command line. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (8)
-
Adrian Schröter -
Cristian Rodríguez -
Lars Müller -
Ludwig Nussel -
Ralf Lang -
Richard Guenther -
Sascha Peilicke -
Vincent Untz