[RFE] Provide a way to store checksum of sources in .spec file

[voxik]

Coming from this [1] discussion, I think it would be nice if .spec file could store checksum of sources used to build the package.

Currently, using-dist git, the hashes are stored in separate "sources" file. But there is no reason, why these checksums should not be stored directly in RPM. That would allow the tooling to actually download the sources from URL specified by SourceX tag and verify, that the file has the expected content (and get rid of "sources" file, which RPM does not know nothing about).

I can imagine downloading sources were not good idea when RPM came to live, but it would make things such as submitting rebase PRs, commiting just .spec file without need of uploading sources, etc easier these days.

There are several ways to do that I can think of, but not sure how feasible they are:

1. Provide new tag, such as:

Source0: ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz
Checksum0: SHA512  = 2c8211ae5f1578502dc9b29babe7d03ec61f500b3c2dd309be2bbd34fd194abba29d95812e7dab4bfacda13e342323921663464bab4cbf4af0a198e8437233f4

But new tag probably means issues with backward compatibility.

2. Update "SourceX" tag to accept the hash, e.g.:

Source0: SHA512 (ftp://ftp.example.com/pub/foo/%{name}-%{version}.tar.gz) = 31bacf58469953282cd5d8b51862dcf4b84dedb927c1871bc3fca32fc157fe49187631575a70838705fe246f4555647577a7ecc26894445a7d64de5503dc11b4

Please note that the proposed format of the line is the same as the format of the line in current dist-git sources file.

3. Use "Provides" to simulate something like this? That would probably need least effort (or no effort on RPM side), but I can't see how this could become standard for all RPM based distros:

Provides: checksum(SHA512 (%{name}-%{version}.tar.gz) = 31bacf58469953282cd5d8b51862dcf4b84dedb927c1871bc3fca32fc157fe49187631575a70838705fe246f4555647577a7ecc26894445a7d64de5503dc11b4)

[ascherer]

See issue #463.

[voxik]

Ah, thx for pointing #463 out.