On Fr, 29.10.21 14:09, David Cantrell (dcantrell(a)redhat.com) wrote:
> the information may be useful: maybe the software is in an
older
> version that you don't support, or maybe the bug was already fixed in
> a later version, etc.
>
> That said, for Fedora official builds, package NVR is unique, koji
> takes care of that. (Successful) official builds are also never
> reaped. So at least in case of Fedora packages, it should always
> be possible to get the source rpm.
I guess that's my point. The package NVR (or NEVRA, but I mean the
same thing here -- package identifier) is only guaranteed unique for
official Fedora builds. Rawhide builds are unique but are not
guaranteed to live forever. Likewise, local and third-party builds
are entirely out of our control. Someone could build an exactly named
local package and use the glibc NVR on their system.
I feel in the subset of cases where it's useful, it is genuinely
useful. But I feel there are far more cases where this information
won't be usable or make life any easier than simply getting and
reproducer that you can use locally. That's not a reason to not take
the change proposal, but is something I would like to somehow measure
if this change proposal were implemented.
We are using an easily extensible JSON format here. If this really
becomes an issue IRL we can relatively easily extend the format to
address this issue.
For example, one simple idea is that we could insert an additional
JSON property from within koji that marks it as built in
koji. i.e. think a property like this, that koji builds carry but
others do not:
{
…
"originatingBuildSystem" : "koji.fedoraproject.org",
…
}
With such a simple field we could easily distinguish builds from
Fedora from those people might have rebuilt elsewhere, because it
would either lack the field or have a different value.
(But before we do anything like this I think we should see how this
plays out in the wild, and if this really is a problem in the real
world.)
Lennart
--
Lennart Poettering, Berlin