About package review and mismatching md5sums
Michael Schwendt
mschwendt at gmail.com
Wed Jun 29 07:48:55 UTC 2011
On Wed, 29 Jun 2011 12:59:41 +0530 (IST), PJP (P) wrote:
> One of the package review guideline says
>
> ===
> MUST: The sources used to build the package must match the
> upstream source, as provided in the spec URL. Reviewers should use
> md5sum for this task.
> ===
It says more than that:
| If no upstream URL can be specified for this package, please see the
| Source URL Guidelines for how to deal with this.
-> https://fedoraproject.org/wiki/Packaging/SourceURL
-> https://fedoraproject.org/wiki/Packaging/SourceURL#Using_Revision_Control
That is the guideline that's releveant.
> Past couple of days, I've been reviewing the python grapefruit package
>
>
> at - https://bugzilla.redhat.com/show_bug.cgi?id=716808
>
> and the thing is, the spec file provides an - $ svn export -r 31 ... - command to pull the sources and create a tarball using $ tar -czvf ...
>
> But as it turns out, it seems, if you create a tarball from the *very same* sources on two different machines, they don't match. As in the md5sum for the two tarball differs.
>
Examine whether the uncompressed tarball differs already due to file
timestamps or file system differences. A simple md5sum isn't helpful in
that case. You would verify an svn snapshot tarball with a full tree diff,
possibly deleting the revision control maintenance directories beforehand.
More information about the devel
mailing list