Unfortunately the suggested format of `Source(sha256): format` is not backward
compatible with older rpm releases, and having the checksum as an extra tag
(with autonumbering) and if conditions could be error prone and tricky. so
@mlschroe came up with an alternative proposal:
```
Source sha256(<checksum>):
https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
Source42 sha256(<checksum>) :
https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz
```
This works with old rpms and can be parsed easily with a patch (working on it
at the moment). The only downside I see is that with sha256 the source lines
get relatively long (at least 80 characters), but I personally can live with
that..
An alternative syntax that builds upon another exploitable trick we use in SUSE
spec files for a while already is this:
```
Source:
https://files.pythonhosted.org/packages/source/.../%{name}-%{version}.tar.gz#sha256:<checksum>/%{name}-%{version}.tar.gz
```
This works as well because rpm parses only after the last '/', and the download
code is ignoring the fragment part.
any opinions on which way to go?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/463#issuecomment-1635569863
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/463/1635569...@github.com>_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
