I don't think that a custom "rpmhash" tool is the problem. We have to "trust"
the tools anyway… A tool that deletes signatures is as much an opaque binary as
the tool that calculates some hash.
I think it would a reasonable compromise to say that the hypothetical "rpmhash"
tool must give a result that is identical to delsign+sha256sum. The problem is
to agree on what exactly is stripped and/or skipped in the hash.
FWIW, I've been going through Fedora rebuilds over the last few days, and there
is clear value in having BUILDHOST set to a non-fake value. For example in
https://bugzilla.redhat.com/show_bug.cgi?id=2266767#c4, if it was very helpful
in diagnosing an arch-specific issue in a noarch package.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2934#discussioncomment-8630015
You are receiving this because you are subscribed to this thread.
Message ID:
<rpm-software-management/rpm/repo-discussions/2934/comments/8630...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint