Time to resurrect multi-key signatures in RPM?

Bojan Smojver bojan at rexursive.com
Tue Aug 26 03:29:52 UTC 2008


Chris Adams <cmadams <at> hiwaay.net> writes:

> That still doesn't help; some things embed the compile time and info in
> the files.  See for example 'uname -v' (although that one is pretty
> easily controlled IIRC) and 'perl -V'.
> 
> One possible way to handle builds that do this would be to do something
> like use the timestamp of the spec file or last CVS update time for
> example and force such builds to use that instead of the current time.
> 
> That doesn't help the 'perl -V' example though, since it includes the
> 'uname -r' and 'uname -v' output in the resulting binary; for example,
> you can see that the current perl RPM on F9/x86_64 was built on a RHEL5
> (or derivative; somebody could tell from the version string) system and
> what kernel it was running at the time.

Right. No very good.

Are these things exceptions to the rule or do majority of package have this kind
of thing built in? If 95% of packages don't have it, the rest can always be
checked by hand by running binary diff or something...

--
Bojan





More information about the fedora-devel-list mailing list