[Rpm-maint] [rpm-software-management/rpm] Add the "Primary Binding" pgp signature type (PR #3051)

This type is needed to verify the primary binding signature embedded in subkey binding signatures. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3051 -- Commit Summary -- * Add the Primary Binding pgp signature type --

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: support isolation between %prep/%build/%install/%check (Issue #3050)

Yup. Note "ideally" in there - this is stuff to explore with, and indeed for packaging hygiene reasons rather than any "security" thing. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3050#issuecomment-2065908096 You are receiving

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: support isolation between %prep/%build/%install/%check (Issue #3050)

> %install should run with a read-only build directory I don't think this is going to work. E.g. autotoolz-based systems (something in the autotools, automake, libconf stack) do final preparation steps in the install target. I think this is inelegant, but not really "wrong". Old meson versions

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)

Closing in favor of a more generic #3050 -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3010#issuecomment-2065857806 You are receiving this because you are subscribed to this thread. Message ID:

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)

Closed #3010 as completed. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3010#event-12533384975 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint

[Rpm-maint] [rpm-software-management/rpm] RFE: support isolation between %prep/%build/%install/%check (Issue #3050)

Ideally, the build scriptlets would be isolated from each other: - %prep unpacks the source, and %build takes place in a separate directory against a read-only source. Obviously not all software can be built outside the source tree, but this would be a nice addon to vpath builds (#2985) -

Re: [Rpm-maint] [rpm-software-management/rpm] [RFC] rpmbuild, check: verify file hashes (PR #3039)

Rpm already hashes any packaged content cryptographically (SHA256 by default), any such mechanism should utilize that to minimize the extra cost. But this seems like a big extra cost with limited benefit, we're more interested in *preventing* writes across the different stages. -- Reply to

Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)

Seems I've managed to throroughly confuse myself with the recent split :joy: So yup, we still need to support the internal parser in 4.19.x but *this* change is not there, and while we still have openssl-related code in >= 4.20, DSA is not part of it. -- Reply to this email directly or view

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: ensure unwritable buildroot during %check (Issue #3010)

This is not about "preventing XZ", it's just somewhat inspired by it. I really don't know why multiple people are arguing against rpm looking to do some extra packaging hygiene enforcement here. In a similar vein, rpm would prefer an unwritable build directory during %install. Hashing the