On Dec 13, 2007, at 2:34 PM, Ralf S. Engelschall wrote:

> I'm this evening trying to implement for OpenPKG one of Thomas
> Lotterer's long awaited features related to security engineering: to
> *recursively* attach to an RPM package the "list of all packages which
> were installed at the built time of the package". Thanks to JBJ's hint
> about arbitrary tags, I've now come up with a very small but  
> sufficient
> solution:
>
> | %_arbitrary_tags    Environment:[...]
> | [...]
> | %description \
> | Environment: %(%{l_rpm} -qa --qf '[%%{name}-%%{version}-%% 
> {release}<%%|environment?{%%{environment}}:{}|>]')\
> | %{nil}\
> | %%description
>
> The result looks something like this:
>
> | $ openpkg rpm -qp --qf '%{environment}' make-3.81-20071211.ix86- 
> freebsd6.3-openpkg.rpm
> | gpg-pubkey-63c4cb9f-3c591eda<>gpg-pubkey-61b7ae34-4544a6af<>gpg- 
> pubkey-52197903-4544a74d<>binutils-2.18-20071111<>openpkg-20071213-200 
> 71213<>make-3.81-20071211<gpg-pubkey-63c4cb9f-3c591eda<>gpg- 
> pubkey-61b7ae34-4544a6af<>gpg- 
> pubkey-52197903-4544a74d<>binutils-2.18-20071111<>openpkg-20071213-200 
> 71213<>>rse@en1:/u/rse/prj/openpkg-2008/src/pkg.src/make
>

Another hint: It would be nice to check that arbitrary tags can
also be indexed. AFAIK, all the peices _EXCEPT_ attempting
an index lookup for unknown tag through a arbitrary tag index
are in place.

What I mean specifically, is adding yr arbitrary tag "Environment" to

%_dbi_tags_3                     
Packages:Name:Basenames:Group:Requirename:Providename:Conflictname:Trigg 
ername:Dirnames:Requireversion:Provideversion:Installtid:Sigmd5:Sha1head 
er:Filemd5s:Pubkeys:Packagecolor:Nvra:Sourcepkgid

typing "rpm --rebuilddb", and see whether a /var/lib/rpm/Environment
index is generated correctly. If the index is in place, its like
10-20 lines of code in lib/query.c to finish an index retrieve.

Otherwise you're likely have to resort to
     rpm -qa 'Environment=pattern'
sequential retrieves (no idea whether that works either, might, no  
promises).

> Nothing one can easily decipher as a human, but that's also not
> required. It just has to be decipherd by a program in order to  
> determine
> e.g. which package has to be rebuilt when a static library got a
> security fix applied.
>
> BUT: one question remains which I was not easily able to figure out  
> from
> the sources: WHAT IS THE SIZE LIMIT OF TAGS IN RPM 5?
>

Hard to say absolutely, but the previously imposed tag data store
limit has been changed from 32Mb to 1Gb AFAIK. There are other limits
that constrain the "WHAT IS THE SIZE LIMIT OF TAGS IN RPM 5?"
such as the total size of the data store, which is (afaik) 2GB because
of the necessity to keep the offset a int32_t, the sign change is used
as a immutable region marker. The additional constraints prevent giving
a precise answer.

> I ask because in OpenPKG the every number of installed packages is
> between 50 and 150 and because of the recursive inclusion of the
> information this could easily bump up the "Environment" tag to a few
> hundred KB in size...
>

An additional check to stop an unchecked recursion from attempting
Header's that are 100's of Gb is likely fairly easy to accomplish.

Don't do that should be good enough answer for the next week or two,
new features in rpm usually take 2-3 years to be used, I expect
"arbitrary tags" to be no different. More than enough time to stop
a runaway recursion train wreck imho ...

73 de Jeff