use rpm2archive

[cgwalters]

Let's use /usr/bin/rpm2archive in our importer. Among other things it's maintained by the RPM team.

TODO:

• patch it to support not compressing (e.g. just output tar)
• Run this unprivileged
• Add direct support for accepting a file descriptor instead of a file so it can be used in a pipe
• Also fork off GPG verification? Maybe as the same process, e.g. rpm2archive --keyring-fd <fd> --import-fd <fd>

[cgwalters]

One thing we could consider here too is using a Rust RPM parser as a "pre-sanitizer" that validates the GPG signature etc. And perhaps we pass the whole thing off again to rpm2archive if that succeeds. Or, we could optimistically extract at least large files from the parsed data into e.g. O_TMPFILE objects ready to link into the ostree repo, plus one more memfd holding all the smaller files?

[DemiMarie]

One thing we could consider here too is using a Rust RPM parser as a "pre-sanitizer" that validates the GPG signature etc.

Is rpmcanon (part of https://github.com/QubesOS/qubes-rpm-oxide) enough for this? It’s part of Qubes OS and is used in production. (Disclaimer: I wrote rpmcanon.)