Checksum for source RPMs in CDT

[jakirkham]

It looks like the CDT template ignores source RPMs' checksums. Based on the note it sounds like we lack verified checksums to use here. Raising to see if there is any other way we might be able to add a checksum for the source RPMs.

cc @mingwandroid

[mingwandroid]

A lot of the RPM stuff parses xml with code developed through trial and error. I wonder if using dnf would be better in some ways. I did look at this once though and it looked like a lot of work!

[jakirkham]

AIUI source RPMs don't actually have verified checksums in the repo. So we would be generating these ourselves by downloading the RPM and computing a checksum. This is a bit kludgy, but I guess we can do that. Or is there a better option that I'm missing?

[scopatz]

Is there a way for the skeleton to generate the checksum for you?

[jakirkham]

Not currently no. We would need to add this. It's important to note this checksum would not be externally validated.

Assuming external validation doesn't matter, here are the rough things we would need to do. We would need to change this line to keep the checksum. Then we'd need to update the template and what gets filled in there. There's probably also some work to pass the checksum around to get it into the template.

[isuruf]

@jakirkham, you can also do what R folks do and have a script that updates the recipe that the conda skeleton gives you.

[isuruf]

xref: https://github.com/bgruening/conda_r_skeleton_helper

[jakirkham]

I'd rather just get the intended behavior into conda-build.

[jakirkham]

For now, I've proposed dropping source RPMs until we have solved this issue (especially given they do not appear to be used) ( https://github.com/conda/conda-build/pull/3580 ).

Though there may be cases where we want them like packaging license files ( https://github.com/conda/conda-build/issues/3568 ). So we still will want to solve this issue.

[github-actions[bot]]

Hi there, thank you for your contribution!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further activity occurs.

If you would like this issue to remain open please:

1. Verify that you can still reproduce the issue at hand
2. Comment that the issue is still reproducible and include:
   • What OS and version you reproduced the issue on
   • What steps you followed to reproduce the issue

NOTE: If this issue was closed prematurely, please leave a comment.

Thanks!

[jakirkham]

Let's keep this open. Also there is a PR linked above that could use a review (when someone has a moment)