Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

My [comment][1] in #3010 is relevant for this issue too. [1]: https://github.com/rpm-software-management/rpm/issues/3010#issuecomment-2060781335 -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3009#discussioncomment-9140068 You

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

That mock does something is not a reason to not improve rpmbuild security and package/packaging sanity enforcement. A test-suite modifying what gets packaged is simply *horribly wrong*, even if it's by accident. If we can catch that, then we should. That's a no-brainer to me. -- Reply to this

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

When you run rpmbuild directly I would argue that you do not care about security already :) I guess it will be hard for rpmbuild to handle remounts for you. While it is no brainer for Mock. What mock will need to have in rpm implemented is: 1) rpmbuild -ba --nocheck foo.spec # this already

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

Opened https://github.com/rpm-software-management/rpm/issues/3010 as well. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3009#discussioncomment-8980509 You are receiving this because you are subscribed to this thread. Message

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

We've been entertaining ideas to this direction before the xz incident, eg #2985 (for read-only source) and #2989. Read-only buildroot would be a logical extension of this. Some of these things are stepping into "mock territory", but then people still *do* run rpmbuild through other means as

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

Another option can be as simple as backing up the entire directory prior to `%check` and use the CoW feature in xfs to optimize the operation. Then, restore it. It may actually be a lot simpler, and would require less permissions. It is basically the `cp -ar --reflink=always ...` -- Reply

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

Is this project the right place to put this discussion and make an issue? Should it be `mock` instead? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3009#discussioncomment-8977797 You are receiving this because you are

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

https://github.com/rpm-software-management/mock/issues/1352 -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3009#discussioncomment-8974586 You are receiving this because you are subscribed to this thread. Message ID:

Re: [Rpm-maint] [rpm-software-management/rpm] Implement a way to ensure build artifacts integrity after the `%build`, and during post-build phases like `%check` (Discussion #3009)

Yeah, it would be interesting for sure. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/3009#discussioncomment-8974419 You are receiving this because you are subscribed to this thread. Message ID: