On Tue, May 17, 2016 at 4:47 PM, Michael Schwendt <mschwendt@xxxxxxxxx> wrote:
> On Tue, 17 May 2016 22:35:54 +0200, zosrothko wrote:
>
>> > spectool -g poco.spec
>> >
>> > to download the source.
>> I know but koji do not run spectool before rpmbuild -bs is launched. I
>> would like rpmbuild do the same as spectool if the tarball is not in SOURCES
>
> That has never worked before, because rpmbuild does _not_ download the
> sources for you. You provide a complete src.rpm when building in koji.
And there are compelling reasons not to download the sources
dynamically. It only takes one poisoned intermediate proxy for the
tarball you *expect* to be a very, very different tarball indeed.
There was a big furor over this recently for the python modules over
at pypi.org. People had been overriding the same source tarball with
differnt contents so often that they decided to revise their URL
scheme and broke *all* the old Python module URL's, relying on Python
API used by pip and easy_setup for requesting particular releases to
dynamically poll for and use the transmogrified URLs. And the new URL
was based on the hash of the actual tarball, so it could not be
predicted without a copy of the tarball.
I could not possibly make this stuff up, look at:
https://bitbucket.org/pypa/pypi/issues/438/backwards-compatible-un-hashed-package
--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/packaging@xxxxxxxxxxxxxxxxxxxxxxx
