On Sat, 18 Aug 2007 00:57:38 +0200 Axel Thimm <Axel Thimm ATrpms net> wrote: > I think you got me there. But that just means that BRs are not to be > macroized. But unfortunately, as you've noticed, Rs get processed too when trying to find BRs. I don't know if it's possible to stop this at the rpm level but it might be nice (: > > > > (although isn't it fun that BuildRequires /are/ Requires in the > > > > source rpm?) > > > > > > and you get the fact that these "Requires" are already macro > > > expanded so no chicken/egg situation here even if the BRs had had > > > been macroized. > > > > > > So koji could do the following pseudo-code and avoid all troubles: > > > > > > rpm -qRp foo-1-2.src.rpm | xargs yum --root=xxx --yes install > > > rpmbuild --root xxx ... > > > > Where does the srpm come from? Koji works from cvs tags to ensure > > that what you build is actually what came from CVS, so you have to > > construct the srpm out of the spec and sources (and oh yeah, > > sources come from the lookaside, no trojan sources in random srpm > > tossed in) > > So we have trojan detection in CVS and lookaside now? ;) Heh, well... no. It's just slightly harder to chuck your own srpm with your own source tarball into the build system for a "official" build. You actually have to go through the cvs procedure where there are a few more eyes watching. Now, an interesting idea would be to continuously run some sort of analyzer across the tarballs on the lookaside cache. Would be interesting if you could find anything there. </crazy> -- Jesse Keating Fedora -- All my bits are free, are yours?
Description: PGP signature