Being Newer Than Red Hat
Kent Borg
kentborg at borg.org
Mon Aug 12 17:28:21 EDT 2002
On Mon, Aug 12, 2002 at 05:00:05PM -0400, Paul Iadonisi wrote:
> Wow, a packaging discussion that didn't generate a flamewar.
> Awesome! ;-)
I didn't realize the risk I was running. Then again, I consciously
decided to ask this list instead of the rhl list I am on, maybe I knew
more than I knew.
> Anyhow, I would like to offer my assistance for any rpm building
> questions you may have.
Cool.
Three at the moment.
First, it seems a really big part of rpms are the spec files. Is
there a good documention on writing in that "language"?
Second, I grabbed the srpm, and installed it. Then I did the
rpmbuild, and installed the result of that. It seemed to work. (Did
it?) My question: aren't the sources still going to be sitting
somehwere? (Where?)
Third is a question I already answered for myself. There are two
kinds of signatures for rpm files. Plain old "md5" and "md5 gpg". If
you do an "rpm --checksig somepackage.rpm" wanting to verify that it
is a genuine Red Hat package, you want to get something like
"XFree86-libs-4.1.0-15.i386.rpm: md5 gpg OK", not
"cvs-1.11.2-5.i386.rpm: md5 OK". Anyone can build an "md5 OK" rpm (I
did) but only someone with Red Hat's secret key can gpg-sign an RPM.
So when checking RPMs (and you do want to do so), don't just look for
a lack of complaint on bad signatures, make sure all expected gpg
signed packages are actually *gpg* signed.
I do note that the rawhide source rpm I downloaded does not check out:
cvs-1.11.2-5.src.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#897DA07A)
Whazzup? Are betas signed with a different key? (I guess that is my
third question.)
-kb
More information about the Discuss
mailing list