Mailinglist Archive: opensuse-factory (837 mails)

< Previous Next >
Re: [opensuse-factory] New policy proposal for Factory: Make source of tar balls trackable
On Monday 21 March 2011 11:40:10 Ludwig Nussel wrote:
Sascha Peilicke wrote:
On Monday 21 March 2011 11:25:06 Richard Guenther wrote:
On Mon, 21 Mar 2011, Adrian Schröter wrote:
I like to propose a new policy for Factory regarding our package
source handling with the goal that our package sources are
upgradable, modifyable and trustable by any other developer.

Please find my proposal here:

http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-ma
ke-s ource-of-tar-balls-trackable/

And please drop some comments as reply to this mail :)

The use of source services makes the build process less transparent
(how do you build such with just rpmbuild? Build once in OBS and then
download a source rpm?). Why not just provide tarball URL and MD5/SHA
checksum in the rpm spec file? I really do not like adding other
non-standard metadata ontop of what we already have.

Actually, this is what I'd like to see too. However, AFAIK the
download_url service already uses the URL found in the Source tag.
Having that info directly in the spec file seems sanest:

Source0: http://foo.com/bar.tgz
Source0-MD5: 1234567
Source0-SHA1: 1234567

RPM doesn't like unknown tags though. I'm not sure how the chances
are to get a patch accepted that allows e.g. a X-vendor prefix.
Fedora voids an rpm patch by having a separate file 'sources' that
lists the file names and their check sums.
Or, as Michael suggested, one could use those RPM notations:

#!Source0-MD5: 1234

or

#!SourceChecksum0: md5(1234)
--
Mit freundlichen Grüßen,
Sascha Peilicke
http://saschpe.wordpress.com
< Previous Next >
Follow Ups