RPM submission procedure
Alan Cox
alan at redhat.com
Thu Jan 8 01:37:58 UTC 2004
On Wed, Jan 07, 2004 at 08:24:38PM -0500, Eric S. Raymond wrote:
> Whenever I do a release, I run an upload script specific to that
> project. The upload script does a bunch of uploads, then calls
> freshmeat-submit. freshmeat-submit does an XML-RPC transaction with
> freshmeat.net and posts a release announcement.
That side of it makes complete sense.
> You tell me the required metadata is (1) an URL to an SRPM, an MD5
> signature, and a package description. This raises a couple of
> questions:
>
> (1) Why not just mine the description out of the Description field
> of the SRPM?
>
> (2) Don't RPMs have their own internal checksum?
Checksums and digital signatures optionally. One very good reason for
submitting an MD5sum in the request though is to make sure you didn't
screw up the URL or get a stale file cached somewhere. It could be
a completely valid genuine GPG signed wrong RPM otherwise. Having the
extra verification just means the system knows it got the right package,
nobody slipped up and no evil web accelerator or cache got in the way
to ruin the party.
(BTW SHA please MD5 has flaws 8)
Alan
More information about the devel
mailing list