On Thu, Oct 28, 2021 at 06:39:38PM -0000, Luca Boccassi wrote:
> On Mon, Oct 25, 2021 at 07:26:47PM +0000, Zbigniew
Jędrzejewski-Szmek wrote:
> 2) The proposal is built around using the package NVR to indicate
> where it came from. But those names aren't unique. In some cases
> it'll work, but in cases where the noted package cannot be found or
> has been reaped or is just otherwise unavailable, you're back to
> asking for a reproducer on a Fedora release, right? Does the NVR data
> save much work over having build-ID plus debuginfod? That's not
> rhetorical? I don't have many bug reports that are not resolvable by
> just talking through a reproducer and seeing it happen locally, but I
> know I'm not a control case.
Isn't the combination of distro name + distro version + package name
+ package version + package arch enough to uniquely identify? Are
there cases where there can be duplicates in Fedora? Speaking of the
Debian case, the distro version isn't even needed, you won't have
duplicates even across multiple releases.
It depends on how wide of a net you cast. Since package naming is
user-controlled and distribution-wide rules are enforced by disparate
build systems and environments, an NVR (or NEVRA) is not unique. It's
close to unique, but it can't be guaranteed.
--
David Cantrell <dcantrell(a)redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT