On Thu, Mar 29, 2018 at 03:07:21PM -0400, Jeff Johnson wrote: > > > > On Mar 29, 2018, at 12:55 PM, Vladimir D. Seleznev <vsele...@altlinux.org> > > wrote: > > > > Hello, rpm-maint@! > > > > There are RFC patches which implement RPMTAG_IDENTITY calculation. > > > > The main idea is that RPMTAG_IDENTITY contains a hash of as many as > > possible, > > ideally all RPMTAGs, with exception of that that principally cannot be > > reproducible and that we don't want to make it reproducible. Another > > exception > > is for these tags that we want to use in certain cases, but only for these > > tags > > that aren't relevant to result of package build. So value of > > RPMTAG_IDENTITY is > > calculating by blacklist filtered tags for each package. > > > > I didn't test the code on systems different from ALT, so I don't sure that > > it > > works on these systems properly. I also don't sure that black list is > > complete > > for other systems, these case also need to test. > > > > Previously I wrote that RPMTAG_IDENTITY value will be used to generate more > > strict interpackage dependencies, but we turn away from it because identity > > of > > binary packages of two builds from one source package can be same for some > > packages and differ for others, and it brings collision for them. > > > > This isn't the best implementation for an IDENTITY > proof-of-reproducibility implementation. > > While I understand that you followed the header SHA1 code path, > filtering out tags that were too specific, in order to add an IDENTITY > tag in rpmbuild, header.c is just not the right place to hard wire the > definition of what tags to include, nor is there any reason to include > the IDENTITY within a package header, largely because that forces a > package rebuild (a very expensive operation) in order to populate tag > values. > > The better implementation uses a tag extension (in lib/tagexts.c) > using a header tag iterator with filtering to retrieve the tag values > you wish in the IDENTITY plaintext. The reason to calculate IDENTITy > dynamically is the ease with which a proof-of-reproducibility can be > deployed everywhere, not just in ALT.
I like the idea to calculate IDENTITY dynamically implemented as tag extension. Still I need to think about pros and cons and possible pitfalls of this decision. > Please open an issue to discuss IDENTITY as a header tag extension if > you would like to proceed in that direction. I opened the issue: https://github.com/rpm-software-management/rpm/issues/426 -- With best regards, Vladimir D. Seleznev _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint