[Fedora-packaging] Is md5sum compulsion in review instead sha1sum?

Jason L Tibbitts III tibbs at math.uh.edu
Wed Oct 14 18:56:04 UTC 2009

>>>>> "NM" == Nicolas Mailhot <nicolas.mailhot at laposte.net> writes:

NM> This is something for the BADURL script or autoqa, IMHO. The ROI on
NM> doing it manually, and only on the initial submission, is pretty
NM> low.

Well, so far I've caught many, many instances of improper URLs, several
cases where the packager had modified the tarball and not realized that
was problematic, and a few instances where the tarball needed to be
modified but the packager hadn't documented the reasons or the necessary
changes in accordance with our guidelines.  All of those are things that
need to be done in review, before the import, because the point is to
actually check the packages before they're imported to guard against
errors where the packager simply isn't aware of the proper way to do
things.  Letting crap get in and then mailbombing the packager with
autoqa mail (which doesn't even exist at this point) isn't friendly to
either the packager or the distribution.

But of course we have no QA on actual package reviews, so I guess you're
welcome to simply skip the step, or pretty much do whatever you want.
And in any case, it's only a few keystrokes to run this after unpacking
the srpm:

mkdir source
cd source
spectool -g ../*spec
for i in *; do
  sha256sum $i
  sha256sum ../$i

and only a further few seconds to look at the output, so the investment
is rather low regardless of what you think the return is.

 - J<

More information about the Fedora-packaging mailing list