On 12/02/2009 09:52 AM, Jindrich Novy wrote:
On Tue, Dec 01, 2009 at 05:48:21PM +0100, Radek Vokál wrote:
> On 12/01/2009 02:54 PM, Petr Machata wrote:
>> 01.12.2009 12:59, Jiri Moskovcak wrote:
>>>> Can't you use vendor from the rpm header?
>>> That would require packagers to use it :)
>> Would it? The Vendor tag is forbidden item in spec files, per Fedora
>> policy. The same with Packager. I guess both values are filled in
>> automatically by rpmbuild. On my F11:
>> $ rpm -qi rpm | grep Fedora
>> Version : 4.7.1 Vendor: Fedora Project
>> Packager : Fedora Project
> ccing jnovy, cos I'm under the same impression. Package maintainer
> doesn't set this tag, it's added by our build system.
The packager tag is written to the rpm header if it is defined either
by defining it in the spec or defined as %packager macro in the macro
files rpmbuild uses (most likely coming from redthat-rpm-config).
Current buildsystem setup sets %packager to "Fedora Project".
I'm not seeing the top of the thread, but hey, we have even better
methods how to check origin of the packages. This is what RPM signatures
are good for ;)
This would work for stable releases, rawhide doesn't have signed
packages, but it's still better then Vendor and Packager which might be
changed on user side. I was thinking about checking the package hash
against package in koji, but I don't know if it can be done :(
Actually anyone can define Packager in his own
locally-built spec what might confuse Abrt if he defines it to
At least from the security/reliability POV it doesn't seem too fortunate
to use Packager to classify rpms or whether to create a bug or not.