Being Newer Than Red Hat

Kent Borg kentborg at borg.org
Mon Aug 12 17:28:21 EDT 2002


On Mon, Aug 12, 2002 at 05:00:05PM -0400, Paul Iadonisi wrote:
>   Wow, a packaging discussion that didn't generate a flamewar. 
> Awesome!  ;-)

I didn't realize the risk I was running.  Then again, I consciously
decided to ask this list instead of the rhl list I am on, maybe I knew
more than I knew.

>   Anyhow, I would like to offer my assistance for any rpm building
> questions you may have.

Cool.

Three at the moment.

First, it seems a really big part of rpms are the spec files.  Is
there a good documention on writing in that "language"?

Second, I grabbed the srpm, and installed it.  Then I did the
rpmbuild, and installed the result of that.  It seemed to work.  (Did
it?)  My question: aren't the sources still going to be sitting
somehwere?  (Where?)

Third is a question I already answered for myself.  There are two
kinds of signatures for rpm files.  Plain old "md5" and "md5 gpg".  If
you do an "rpm --checksig somepackage.rpm" wanting to verify that it
is a genuine Red Hat package, you want to get something like
"XFree86-libs-4.1.0-15.i386.rpm: md5 gpg OK", not
"cvs-1.11.2-5.i386.rpm: md5 OK".  Anyone can build an "md5 OK" rpm (I
did) but only someone with Red Hat's secret key can gpg-sign an RPM.
So when checking RPMs (and you do want to do so), don't just look for
a lack of complaint on bad signatures, make sure all expected gpg
signed packages are actually *gpg* signed.

I do note that the rawhide source rpm I downloaded does not check out:

  cvs-1.11.2-5.src.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#897DA07A)

Whazzup?  Are betas signed with a different key?  (I guess that is my
third question.)


-kb



More information about the Discuss mailing list