Noarch subpackage problem

Tue Feb 24 21:59:17 UTC 2009

Toshio Kuratomi wrote:
> So we had a discussion on IRC today about the failure cases of noarch
> subpackages.  I think we should make some changes to the way we check
> that noarch subpackages are sane.
> 
> Currently, when a noarch subpackage is built, rpmdiff is run on the
> noarch packages that were built by each builder.
> 
> Of the checks that rpmdiff does, we discard all of them except Provides,
> Requires, and the list of files.  My concern is that if you throw out
> md5sum and filesize in these checks there's a lot of margin for creating
> subpackages that are not actually noarch.

Actually the full list of tags we diff are:

name
summary
description
group
license
url
prein (script)
postin (script)
preun (script)
postun (script)

For Requires, Provides, Conflicts, and Obsoletes we check that the lists 
  (including versions) are identical across all subpackages.

We verify that that file lists are identical across all subpackages, and 
for each file in the file lists we verify that the following attributes 
are identical:

mode
flags
nlink
state
vflags
user
group

> For instance, if bitedness ends up in include files that are placed in a
> noarch subpackage, those subpackages won't be caught by this check.
> That would allow a package to go out that could prevent building with
> the incorrect header.
> 
> The reason that filesize and md5sum are discarded is that
> arch-inspecific files can have timestamps embedded into them at build
> time.  This means, for instance, that documentation can differ between
> builds of a subpackage despite it being a prime candidate for a noarch
> subpackage.
> 
> An idea for a change would be to extend rpmdiff to be able to list
> changes in md5sum between all files except those marked as %doc.  This
> would let documentation packages through even if timestamps were
> embedded but not let a noarch package with differing headers through,
> for instance.

Another class of files that are noarch-but-different are .pyc/.pyo 
files, as Julian Sikorski found out:

https://www.redhat.com/archives/fedora-devel-list/2009-February/msg01826.html

Issues like this, where files differed because of embedded 
timestamps/hostnames/etc. but were not different in any meaningful way 
came up during testing of this feature.  As a result it was decided to 
not fail a build due to differences in file size, digest, or mtime 
because this would have resulted in a lot of false positives, and 
significantly reduced the usability and usefulness of this feature.

The automated checks are not a replacement for diligent package review 
and testing, they are there to help package maintainers catch silly 
mistakes and oversights.  What we have now is a good balance between 
catching those oversights and not burdening maintainers with a huge 
number of false positives that (as in the python case above) they are 
unable to do anything about and thus unable to make use of this feature.

Note that this feature is in no way more dangerous or prone to error 
than the existing method of creating noarch subpackages (extra-arches).