Time to resurrect multi-key signatures in RPM?

Chris Adams cmadams at hiwaay.net
Tue Aug 26 03:09:41 UTC 2008

Once upon a time, Bojan Smojver <bojan at rexursive.com> said:
> Andrew Bartlett <abartlet <at> samba.org> writes:
> > I think the checksums would be the hardest part.   Build times, hosts
> > and other details are very often embedded into a build. 
> Yeah, good point. We do have checksums of individual files inside the RPM,
> right? Maybe we can leverage that in order to provide a build system neutral
> checksum that can be verified independently?

That still doesn't help; some things embed the compile time and info in
the files.  See for example 'uname -v' (although that one is pretty
easily controlled IIRC) and 'perl -V'.

One possible way to handle builds that do this would be to do something
like use the timestamp of the spec file or last CVS update time for
example and force such builds to use that instead of the current time.

That doesn't help the 'perl -V' example though, since it includes the
'uname -r' and 'uname -v' output in the resulting binary; for example,
you can see that the current perl RPM on F9/x86_64 was built on a RHEL5
(or derivative; somebody could tell from the version string) system and
what kernel it was running at the time.

Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the fedora-devel-list mailing list