IDENTITY as header tag extension discussion

[wladmis]

There was a suggestion to calculate RPMTAG_IDENTITY as tag extension and do not the tag to actual rpm package during build time.

The main idea is to take message digest from package header tags filtered by the blacklist containing tags that don't represent actual package build characteristics, such as buildtime or values based on randomness; that digest is the value of RPMTAG_IDENTITY.

One of advantage of IDENTITY is package reproducible build check; advantage of dynamically calculated IDENTITY is no need to rebuild a package to take the value.

Still, in the future releases new tags can be added to rpm, and some of them can be put to the blacklist, so previous and new rpm(8) releases will produce different IDENTITY values, that is not good and requires a solution. One of possible solution is to put to package header some addintional information about IDENTITY version during build time (and prevent to calculate identity if current rpm doesn't know how to do it for required version), or list of tagnos that should be filtered, but it is too flexible, that is not good for the task.

[wladmis]

The previous discussion was here.

Main thought:

• compute identity as a digest of filtered iterated pair of tags and its values of immutable header region;
• change the awk script that generates the tag table to add a marker (like the array return marker) to identify which tags to include (or exclude);

The tags that definitely should be filtered while calculation:

• RPMTAG_ARCH;
• RPMTAG_ARCHIVESIZE;
• RPMTAG_AUTOINSTALLED;
• RPMTAG_BUILDHOST;
• RPMTAG_BUILDTIME;
• RPMTAG_COOKIE;
• RPMTAG_DBINSTANCE;
• RPMTAG_DISTRIBUTION;
• RPMTAG_DISTTAG;
• RPMTAG_DISTURL;
• RPMTAG_FILESTATES;
• RPMTAG_HEADERIMMUTABLE;
• RPMTAG_INSTALLCOLOR;
• RPMTAG_INSTALLTID;
• RPMTAG_INSTALLTIME;
• RPMTAG_LONGARCHIVESIZE;
• RPMTAG_LONGSIGSIZE;
• RPMTAG_LONGSIZE;
• RPMTAG_ORIGBASENAMES;
• RPMTAG_ORIGDIRINDEXES;
• RPMTAG_ORIGDIRNAMES;
• RPMTAG_PAYLOADDIGEST;
• RPMTAG_RELEASE;
• RPMTAG_RSAHEADER;
• RPMTAG_SHA1HEADER;
• RPMTAG_SHA256HEADER;
• RPMTAG_SIGLEMD5_1;
• RPMTAG_SIGLEMD5_2;
• RPMTAG_SIGMD5;
• RPMTAG_SIGPGP;
• RPMTAG_SIGSIZE;
• RPMTAG_SIZE;

--
P.S. Since RPMTAG_RELEASE is supposed to be filtered, there is sense to filter some elemenents of package RPMTAG_PROVIDE* and RPMTAG_REQUIRE*

[wladmis]

One of main task to solve: what we should do with tags that were used previously and do not used now, and tags that can be added in the future, but are not present in rpm now.