Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Closed #163. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/163#event-981848847___ Rpm-maint mailing list

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Initial implementation in commit 91aa0786cf3b2e34de01c586427952de6d0d9b40. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub:

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

In practice though, people shouldn't be using raw `rpm` to install RPMs. They should (and 90% of the time are) using a higher level system like zypper, yum, or rpm-ostree. These systems all consume "rpm-md/yum" metadata, which obviously today has a checksum over the content, which can be

Re: [Rpm-maint] [PATCH] Add option to have unique debug source dirs across version/release/arch.

On Tue, 2017-02-28 at 21:34 +0100, Mark Wielaard wrote: > @@ -305,7 +317,18 @@ do_file() >if [ ! -z "$ver_rel" ]; then > build_id_seed="--build-id-seed=$ver_rel" >fi > - id=$(${lib_rpm_dir}/debugedit -b "$RPM_BUILD_DIR" -d /usr/src/debug \ > + # See also cpio SOURCEFILE copy.

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

What on earth does rpm-md have to do with this? It exists on an entirely different level, and has checksums on the entire package file, at the time of repository generation. Files can get corrupted and truncated in transit from rpmbuild to a repository. That has happened in Fedora repos, people

[Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

From: Mark Wielaard Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and Commit bbfe1f8 (Make it possible to have unique build-ids across build versions/releases) Introduced new test spec files (hello-r2.spec, hello2cp.spec and hello2ln.spec). Make

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

Okay, but that'd also be caught by MD5, right? So...do we expect every package system to verify *both* the rpm-md checksum and this one? Running SHA256 or whatever *is* pretty cheap, I know. Perhaps enough people rely on "untrusted rpm-md fetched over http + GPG signed RPMs" that we have to

Re: [Rpm-maint] [PATCH] Include new test data spec files in EXTRA_DIST.

On Wed, 2017-03-01 at 15:28 +0100, Mark Wielaard wrote: > From: Mark Wielaard > > Commit bbfe1f8 (Add build-id links to rpm for all ELF files) and > Commit bbfe1f8 (Make it possible to have unique build-ids across build > versions/releases) Sorry, copy/paste

Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)

What MD5? Besides being hopelessly outdated and vulnerable, nothing besides rpm -K actually verifies it. Yum/dnf certainly does not. And it lives in the signature header so you can just modify it at will. Repository formats are just not relevant here, at all, no matter which way they're