```
During the %check target, no files that existed before are expected to be
modified. This change adds a validation to the rpmbuild command, which will
store file hashes, and compare them after compilation again.
Note: this is only a simple demonstrator that cannot handle large projects, and
it is using a very simply hash function.
```
### Note
This is a demonstrator to steer discussions. A fully functional variant would
likely use a dynamic container to store the hashes, handle errors better, and
use a more sophisticated hash function.
We are aware that there are ways around this validation and still modify build
files from the %check phase.
This is one way to implement the requirement to have an immutable build root
during rpmbuilds %check phase, as described in
https://github.com/rpm-software-management/rpm/issues/3010
### Testing Done
I compiled the xz-utils package of Amazon Linux 2 in an Amazon Linux 2
container image with this change. We also tested a malicious RPM that modified
its build files during `%check`.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/3039
-- Commit Summary --
* rpmbuild,check: verify file hashes
-- File Changes --
M build/build.c (130)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/3039.patch
https://github.com/rpm-software-management/rpm/pull/3039.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3039
You are receiving this because you are subscribed to this thread.
Message ID: rpm-software-management/rpm/pull/3...@github.com
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint