Re: [Rpm-maint] [rpm-software-management/rpm] Make rpm builds more reproducible (Discussion #2654)

Zbigniew Jędrzejewski-Szmek Fri, 08 Mar 2024 08:33:31 -0800

Ideally, the NEVRA would indicate the vendor via the `%_dist` suffix. Fedora, 
ELN, RHEL, SuSE mostly use unique suffixes. Of course this doesn't help when 
derivates rebuild using the same suffix. But I think with this, we're getting 
into the territory of SBOMs. Any reasonable SBOM should be enough to uniquely 
identify the packages that went into the build environment.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2654#discussioncomment-8722098
You are receiving this because you are subscribed to this thread.

Message ID: 
<rpm-software-management/rpm/repo-discussions/2654/comments/8722...@github.com>

_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Re: [Rpm-maint] [rpm-software-management/rpm] Make rpm builds more reproducible (Discussion #2654)

Reply via email to