RPM submission procedure

Warren Togami warren at togami.com
Thu Jan 8 02:04:50 UTC 2004 

Eric S. Raymond wrote:
>>My greatest concern here is that I question the efficacy of any such 
>>client.  I can see how a XML-RPC client can used a template based 
>>approach in submitting new packages within a new Bugzilla report, or 
>>submitting a package update to an existing Bugzilla report, but 
>>otherwise I don't see it being very useful.
> 
> 
> That would cover the common case where I'm doing a point release that
> I want to drop in to your repository.

Excellent.

> 
> 
>>https://bugzilla.fedora.us/show_bug.cgi?id=520
>>Something like how I started this Bugzilla report is one way packages 
>>are submitted.  Only the URL to SRPM, URL to md5sums.asc, and a short 
>>description about what the package does.  A tool that can do this 
>>reliably would save maybe 30-45 seconds.  It would easy to use that same 
>>tool to post updates to that package in the existing report too.  Beyond 
>>this what would the tool do that is useful?
> 
> 
> What I want to do is be able to call that tool in my release scripts.
> 
> That is, I want to do with the Fedora repository what I now do for all
> 37 of my projects via freshmeat-submit, one of my recent projects.
> Whenever I do a release, I run an upload script specific to that
> project.  The upload script does a bunch of uploads, then calls
> freshmeat-submit.  freshmeat-submit does an XML-RPC transaction with
> freshmeat.net and posts a release announcement.
> 
> What I want to be able to do is run a client that drops submission
> information in your queue automatically, mining it out of my locally
> generated RPMs if need be.
> 
> You tell me the required metadata is (1) an URL to an SRPM, an MD5
> signature, and a package description.  This raises a couple of 
> questions:
> 
> (1) Why not just mine the description out of the Description field
>     of the SRPM?
> 
> (2) Don't RPMs have their own internal checksum?
> 
> If the answer to (2) is no, seems to me the thing to do would be to 
> enhance RPM to do its own MD5 checksumming and require submitters to
> be using a version new enough to have that feature.

RPM does have all information necessary and it could be auto-generated 
yes.  SRPMS are also signed with rpm --addsign before submission.  We 
had been including md5sums GPG signed with package submissions so QA 
testers can easily verify signatures without the necessity of importing 
arbitrary user GPG keys into their rpm keyring.  Using a simple upload 
script this is not a difficult time consuming process.  I use the 
following script:

#!/bin/sh
cd ~/fedora
md5sum *.rpm > md5sums
rm md5sums.asc
gpg --clearsign md5sums
rsync -e ssh -auv --delete /home/warren/fedora/

Warren

More information about the fedora-devel-list mailing list