BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Being Newer Than Red Hat

Subject: Being Newer Than Red Hat
From: warlord at MIT.EDU (Derek Atkins)
Date: 12 Aug 2002 17:38:57 -0400
In-reply-to: <20020812172821.K24469@borg.org>
References: <20020812150257.F24469@borg.org> <1029186006.8309.10.camel@va.local.linuxlobbyist.org> <20020812172821.K24469@borg.org>

Kent Borg <kentborg at borg.org> writes:

> First, it seems a really big part of rpms are the spec files.  Is
> there a good documention on writing in that "language"?

Not really.  You can check www.rpm.org, but frankly the docs suck
hairy monkey balls.

> Second, I grabbed the srpm, and installed it.  Then I did the
> rpmbuild, and installed the result of that.  It seemed to work.  (Did
> it?)  My question: aren't the sources still going to be sitting
> somehwere?  (Where?)

/usr/src/redhat/*
        SOURCES -> tarball and patchfile sources
        BUILD -> the build tree
        SPECS -> where the SPEC files live
        RPMS -> built RPMS
        SRPMS -> built SRPMS

> Third is a question I already answered for myself.  There are two
> kinds of signatures for rpm files.  Plain old "md5" and "md5 gpg".  If
> you do an "rpm --checksig somepackage.rpm" wanting to verify that it
> is a genuine Red Hat package, you want to get something like
> "XFree86-libs-4.1.0-15.i386.rpm: md5 gpg OK", not
> "cvs-1.11.2-5.i386.rpm: md5 OK".  Anyone can build an "md5 OK" rpm (I
> did) but only someone with Red Hat's secret key can gpg-sign an RPM.
> So when checking RPMs (and you do want to do so), don't just look for
> a lack of complaint on bad signatures, make sure all expected gpg
> signed packages are actually *gpg* signed.

I don't sign my home-built RPMS, so I dont know.

> I do note that the rawhide source rpm I downloaded does not check out:
> 
>   cvs-1.11.2-5.src.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#897DA07A)
> 
> Whazzup?  Are betas signed with a different key?  (I guess that is my
> third question.)

Well, you don't have the right key on your keyring.  I have no idea
what key they use .

> -kb

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

Follow-Ups:
- Being Newer Than Red Hat
  - From: kentborg at borg.org (Kent Borg)

References:
- Being Newer Than Red Hat
  - From: kentborg at borg.org (Kent Borg)
- Being Newer Than Red Hat
  - From: pri.blu at iadonisi.to (Paul Iadonisi)
- Being Newer Than Red Hat
  - From: kentborg at borg.org (Kent Borg)

Prev by Date: Being Newer Than Red Hat
Next by Date: Being Newer Than Red Hat
Previous by thread: Being Newer Than Red Hat
Next by thread: Being Newer Than Red Hat
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org