6346 – RFE: rpm should try to download missing source files

Bug 6346 - RFE: rpm should try to download missing source files

Summary: RFE: rpm should try to download missing source files

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	rpm-build
Sub Component:
Version:	7.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	1999-10-25 19:32 UTC by Aleksey Nogin
Modified:	2007-04-18 16:24 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2001-05-21 14:53:18 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Aleksey Nogin 1999-10-25 19:32:49 UTC

Currently (version 3.0.2) rpm prints an error message and
quits when it is asked to build a package and one of the
source or patch files is missing.

It would be really nice if when the source/patch file is
specified using the full URL, then instead of printing an
error message, rpm would ask if the missing file should be
downloaded.

This would enable faster building of the new versions of
packages - when the source location is specified correctly
(using %{version} macro if necessary), you would only need
to update the version field in the spec file and run "rpm
-ba" and the new sources would be dowloaded by rpm
automatically.

Comment 1 Jeff Johnson 2000-08-07 13:45:54 UTC

This problem will be addressed after rpm-4.0 is released.

Comment 2 Jeff Johnson 2001-02-22 22:17:21 UTC

Changing component

Comment 3 Jeff Johnson 2001-08-30 19:04:13 UTC

Automatic source/patch downloads aren't what's needed, but
rather an integrated, network aware, rpm build environment
that can download configuration, spec files, components,
build system assignments, and post build disposition.

Comment 4 Aleksey Nogin 2002-11-06 04:52:50 UTC

Any chance this can be reopened? While a fully integrated environment is great,
inplementing just this one feature will make things better for people. After
all, the rpm inself is capable of downloading and installing packages straight
off ftp/http - why not add the same thing to rpmbuild?

Also, the source location is often specified with the help of macros - so
downloading manually is not too convenient and any "external" tool will need to
be able to understand rpm macros (at least in some limited way), while rpmbuild
already knows what the location is and just needs to be able to download the file.

Comment 5 Bishop Clark 2003-11-06 22:18:28 UTC

can't the same functionality be faked with a really crafty %eval?

%define      mysource1     http://www.some.net/path/to/file.tgz
SOURCE1:     %mysource1
%define source1good %( [ ! -f %{S:1} ] && wget -q --dir %_sourcedir
%{mysource1} || : )

admittedly, that hack is just that, but a corrected version of the
above may bring you short-term bliss.

Comment 6 R P Herrold 2004-03-02 19:26:55 UTC

A couple comments on the proposal:

1. the concept of 'prompting' within an RPM family tool, is outside of
the design space of RPM.  It should not happen for htat reason alone.

2. The issue of an automatic, or unattended download, using wget, or
otherwise, is full of security issues -- Monkey-in-the-Middle attacks,
with compromised DNS, faked CA, compromised remote (or MitM made)
archives, and the sort appear to be unsolveable absent finding a
method to find, and on an automated basis, trusting a signed md5sum
hash against the expected value.  Obviously the md5sum cannot be
carried within the Source url, as it is produced externally and after
a tarball is rolled.

Several approaches have emerged -- PDR, mezzanine, the cAos
buildsystem, and the pre- and post-RH fedora variants.  These seem 
closer to the 'correct' space for such approaches to be applied.

Note You need to log in before you can comment on or make changes to this bug.