Being Newer Than Red Hat

Derek Atkins warlord at MIT.EDU
Mon Aug 12 17:38:57 EDT 2002


Kent Borg <kentborg at borg.org> writes:

> First, it seems a really big part of rpms are the spec files.  Is
> there a good documention on writing in that "language"?

Not really.  You can check www.rpm.org, but frankly the docs suck
hairy monkey balls.

> Second, I grabbed the srpm, and installed it.  Then I did the
> rpmbuild, and installed the result of that.  It seemed to work.  (Did
> it?)  My question: aren't the sources still going to be sitting
> somehwere?  (Where?)

/usr/src/redhat/*
        SOURCES -> tarball and patchfile sources
        BUILD -> the build tree
        SPECS -> where the SPEC files live
        RPMS -> built RPMS
        SRPMS -> built SRPMS

> Third is a question I already answered for myself.  There are two
> kinds of signatures for rpm files.  Plain old "md5" and "md5 gpg".  If
> you do an "rpm --checksig somepackage.rpm" wanting to verify that it
> is a genuine Red Hat package, you want to get something like
> "XFree86-libs-4.1.0-15.i386.rpm: md5 gpg OK", not
> "cvs-1.11.2-5.i386.rpm: md5 OK".  Anyone can build an "md5 OK" rpm (I
> did) but only someone with Red Hat's secret key can gpg-sign an RPM.
> So when checking RPMs (and you do want to do so), don't just look for
> a lack of complaint on bad signatures, make sure all expected gpg
> signed packages are actually *gpg* signed.

I don't sign my home-built RPMS, so I dont know.

> I do note that the rawhide source rpm I downloaded does not check out:
> 
>   cvs-1.11.2-5.src.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#897DA07A)
> 
> Whazzup?  Are betas signed with a different key?  (I guess that is my
> third question.)

Well, you don't have the right key on your keyring.  I have no idea
what key they use .

> -kb

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available



More information about the Discuss mailing list