Le jeudi 30 mai 2019 à 14:29 -0700, Samuel Sieb a écrit : > On 5/30/19 1:56 PM, Chris Murphy wrote: > > On Thu, May 30, 2019 at 8:40 AM Daniel Mach <dm...@redhat.com> > > wrote: > > > Dne 30. 05. 19 v 0:05 Neal Gompa napsal(a): > > > > I'm pretty sure this would break DeltaRPMs, since none of the > > > > drpm > > > > software has been updated to handle zstd compression. Neither > > > > drpm nor > > > > deltarpm handle it today. > > > > > > > Thanks for heads-up. We'll look into it and provide a fix soon. > > > > I have no idea how deltarpm works, but if working on bit level > > difference on uncompressed data, I don't see why local rebuild > > needs > > to use the same compression level as the Fedora build system. If > > it's > > working on compressed data, well I'm not sure how that works, in > > particular if pixz is used which gives non-reproducible results. > > I was going to suggest earlier that deltarpm could use a faster > compression when repacking. But then I realized that the result has > to > be be bit-exact with the original so the package signing is still > intact.
That's because someone in the old old past took the shortut of signing compressed payload hashes instead of signing the uncompressed payload. That was an easy mistake to make at the time everything was a gzip file. That’s something which is also killing us hosting side, now that many ”source” archives are generated on-the-fly, and the on-the-fly compression method is not stable over time. Someday the technical debt will reach such levels, the whole package creation and distribution toolchain will have to be audited to hunt down all the steps where we assume the security invariant is the compressed payload instead of the payload itself. -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
