Philipp Thomas wrote:
It would cause major disruption as that change would have to be done inside the rpm utility and SUSE is not going to deviate here from the standard rpm.
I guess you're rather alone there as I've not seen others complain. I'm usually one of the first to see potential conflicts that could result in unnecessary headaches or security problems, but
--- How would it cause any disruption? Let alone, major? then that's just my curse.
and significantly less of a security problem.
AFAICS, there is no security problem! So please tell me where you think one exists.
It isn't unlikely that 2 different packages might have the same name for some source
Wrong! It's *very* unlikely for 2 different packages having the same name.
---- Here is where we differ. In SuSE 9.3, I count 265 different names that are duplicated in two or more packages. All told, 503 duplicate names. In SuSE 10.0, that figure goes up: 430 unique names that are duplicated, 969 duplications. That many occurrences fits my definition of "not unlikely". Unlikely != impossible. All you need is 1 duplicate source filename with different contents in two different packages that are built at the same time on the same machine and you will end up with the wrong contents in one of the packages. If you are lucky, the impact will be zero, if you are unlucky, the patch will patch in code that compiles but has latent bugs waiting to be exposed. At the very least, though, you end up with RPMs built from wrong sources. It's a potential security concern, waiting to happen. If it is required to only unpackage the sources for 1 RPM at a time, then RPM should clean out the SOURCES directory before unpacking new sources into it, but this would prevent parallel RPM builds would it not? It seems common to build more than one RPM at a time on a multi-cpu machine. Not using separate subdirs for SOURCES would be only slightly more safe than not using separate subdirs in the BUILD directory.
Yes, that's much more possible, but that's why most patches nowadays *have* the name of the package prepended.
--- Some do, some don't. There is no enforcement or standard. Try this (bash shell): (for i in <sourcedir>/*.src.rpm; do rpm -qlp "$i" done) >allsources.txt That should dump about 15,000+ source file names into allsources.txt. From there you can use "sort" into "uniq -dc" and you'll see plenty of source-filename duplications. You also will not be able to tell which source rpm most of the names come from. If there is no parallelism in distribution builds, this may not be an issue for those builds, but for anyone unwrapping, looking at, and/or building more than one RPM at a time on the same machine, it's a potential pitfall. -linda walsh