I'm this evening trying to implement for OpenPKG one of Thomas
Lotterer's long awaited features related to security engineering: to
*recursively* attach to an RPM package the "list of all packages which
were installed at the built time of the package". Thanks to JBJ's hint
about arbitrary tags, I've now come up with a very small but sufficient
solution:

| %_arbitrary_tags    Environment:[...]
| [...]
| %description \
| Environment: %(%{l_rpm} -qa --qf '[%%{name}-%%{version}-%%{release}<%%|environment?{%%{environment}}:{}|>]')\
| %{nil}\
| %%description

The result looks something like this:

| $ openpkg rpm -qp --qf '%{environment}' make-3.81-20071211.ix86-freebsd6.3-openpkg.rpm
| gpg-pubkey-63c4cb9f-3c591eda<>gpg-pubkey-61b7ae34-4544a6af<>gpg-pubkey-52197903-4544a74d<>binutils-2.18-20071111<>openpkg-20071213-20071213<>make-3.81-20071211<gpg-pubkey-63c4cb9f-3c591eda<>gpg-pubkey-61b7ae34-4544a6af<>gpg-pubkey-52197903-4544a74d<>binutils-2.18-20071111<>openpkg-20071213-20071213<>>rse@en1:/u/rse/prj/openpkg-2008/src/pkg.src/make

Nothing one can easily decipher as a human, but that's also not
required. It just has to be decipherd by a program in order to determine
e.g. which package has to be rebuilt when a static library got a
security fix applied.

BUT: one question remains which I was not easily able to figure out from
the sources: WHAT IS THE SIZE LIMIT OF TAGS IN RPM 5?

I ask because in OpenPKG the every number of installed packages is
between 50 and 150 and because of the recursive inclusion of the
information this could easily bump up the "Environment" tag to a few
hundred KB in size...

                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com