On Fri, Oct 29, 2021 at 4:00 PM Lennart Poettering <mzerq...@0pointer.de> wrote:
>
> On Fr, 29.10.21 14:09, David Cantrell (dcantr...@redhat.com) wrote:
>
> > > the information may be useful: maybe the software is in an older
> > > version that you don't support, or maybe the bug was already fixed in
> > > a later version, etc.
> > >
> > > That said, for Fedora official builds, package NVR is unique, koji
> > > takes care of that. (Successful) official builds are also never
> > > reaped. So at least in case of Fedora packages, it should always
> > > be possible to get the source rpm.
> >
> > I guess that's my point. The package NVR (or NEVRA, but I mean the
> > same thing here -- package identifier) is only guaranteed unique for
> > official Fedora builds. Rawhide builds are unique but are not
> > guaranteed to live forever. Likewise, local and third-party builds
> > are entirely out of our control. Someone could build an exactly named
> > local package and use the glibc NVR on their system.
> >
> > I feel in the subset of cases where it's useful, it is genuinely
> > useful. But I feel there are far more cases where this information
> > won't be usable or make life any easier than simply getting and
> > reproducer that you can use locally. That's not a reason to not take
> > the change proposal, but is something I would like to somehow measure
> > if this change proposal were implemented.
>
> We are using an easily extensible JSON format here. If this really
> becomes an issue IRL we can relatively easily extend the format to
> address this issue.
>
> For example, one simple idea is that we could insert an additional
> JSON property from within koji that marks it as built in
> koji. i.e. think a property like this, that koji builds carry but
> others do not:
>
> {
> …
> "originatingBuildSystem" : "koji.fedoraproject.org",
> …
> }
>
> With such a simple field we could easily distinguish builds from
> Fedora from those people might have rebuilt elsewhere, because it
> would either lack the field or have a different value.
>
> (But before we do anything like this I think we should see how this
> plays out in the wild, and if this really is a problem in the real
> world.)
>
Scratch builds can reuse NVRs and would get that same flag.
--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
