> > Using host distro tools in cross-compilation builds is problematic, as we
> > don't have control over what versions we're going to get, and how they are
> > built and configured. To ensure things work in a reproducible manner, yocto
> > builds its own rpm executable that can run on the build machine.
>
> What about fetching a correctly configured binary RPM and verifying its hash
> before using it?
Possible, but comes with a significant support burden - someone needs to write
and support the code that does this, and provide and update the binaries, for
all of the architectures that yocto builds can run on. There needs to be tests
and documentation too. And a possibility to opt out of it, and build rpm binary
locally anyway.
When there are alternatives, we pick one which puts the least pressure on our
very limited maintainer resources, or ideally makes it less than it was. The
standard approach is to build the tools locally, and we'd rather stick with it.
> > FWIW, the only host tools allowed to bootstrap the yocto build are python,
> > gcc, wget, tar, git and various (de)compression utilities - things you need
> > to fetch the sources, and bootstrap a cross-compiler.
>
> Do you also need tools to cryptographically verify the downloaded sources? Or
> is that done in Python?
For tarballs, their checksums are verified against local record of what they
should be with python. For git checkouts we trust the git executable that the
specified commit id will result in the correct tree, or there will be an error.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2414#issuecomment-1829319201
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2414/1829319...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
