Being Newer Than Red Hat
Derek Atkins
warlord at MIT.EDU
Mon Aug 12 17:38:57 EDT 2002
Kent Borg <kentborg at borg.org> writes:
> First, it seems a really big part of rpms are the spec files. Is
> there a good documention on writing in that "language"?
Not really. You can check www.rpm.org, but frankly the docs suck
hairy monkey balls.
> Second, I grabbed the srpm, and installed it. Then I did the
> rpmbuild, and installed the result of that. It seemed to work. (Did
> it?) My question: aren't the sources still going to be sitting
> somehwere? (Where?)
/usr/src/redhat/*
SOURCES -> tarball and patchfile sources
BUILD -> the build tree
SPECS -> where the SPEC files live
RPMS -> built RPMS
SRPMS -> built SRPMS
> Third is a question I already answered for myself. There are two
> kinds of signatures for rpm files. Plain old "md5" and "md5 gpg". If
> you do an "rpm --checksig somepackage.rpm" wanting to verify that it
> is a genuine Red Hat package, you want to get something like
> "XFree86-libs-4.1.0-15.i386.rpm: md5 gpg OK", not
> "cvs-1.11.2-5.i386.rpm: md5 OK". Anyone can build an "md5 OK" rpm (I
> did) but only someone with Red Hat's secret key can gpg-sign an RPM.
> So when checking RPMs (and you do want to do so), don't just look for
> a lack of complaint on bad signatures, make sure all expected gpg
> signed packages are actually *gpg* signed.
I don't sign my home-built RPMS, so I dont know.
> I do note that the rawhide source rpm I downloaded does not check out:
>
> cvs-1.11.2-5.src.rpm: md5 (GPG) NOT OK (MISSING KEYS: GPG#897DA07A)
>
> Whazzup? Are betas signed with a different key? (I guess that is my
> third question.)
Well, you don't have the right key on your keyring. I have no idea
what key they use .
> -kb
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list