RPM Community Forums

Mailing List Message of <rpm-users>

Re: Release in tar.gz format

From: Jeff Johnson <n3npq@mac.com>
Date: Thu 14 Jul 2011 - 20:08:47 CEST
Message-id: <6C8A89DA-09A4-4DD4-8724-9B17B98DA434@mac.com>

On Jul 14, 2011, at 1:20 PM, YuGiOhJCJ Mailing-List wrote:

> Hello,
> When I go on the rpm5 website I see the release are now given in src.rpm format.
> Indeed, the last rpm release using the .tar.gz format is rpm-5.3.5.


> The tar.gz format is a common archive type easy to extract on many operating systems.

Yes it is.

> Can you tell me why you chose to release into this format only?

	To illustrate the features in RPM *.src.rpm format as a distribution
	format as well as de facto "dog food" testing of those same features.

I refer to something called "non-repudiable signatures" @rpm5.org in *.src.rpm.

Its basically the same as a self-signed host cert, except for a software distribution.

And the benefit (over detached *.asc) is that you can download _EVERYTHING_,
not just the tar-ball. In fact there's (at least) 2 tar balls necessary
to download, the 2nd tar ball has "last known good" per-platform macro configuration.

> Can you tell me how I can extract it?

Sure. Grab scripts/rpm2cpio.sh from the tar ball you already have.
(I can post, in fact have p[osyed that script a zillion times for years)

Download the *.src.rpm and feed it to rpm2cpio.sh script like this:

	mkdir /tmp/XXX
	cd /tmp/XXX
	./rpm2cpio.sh rpm*.src.rpm | cpio -dim

You will see the tar ball you quest magically appear in /tmp/XXX,
as well as the 2nd tar ball (that yopu might wish to examine) and
a rpm.spec that is more or less a reasonable starting point to
building rpm in *.rpm packaging (which is likely not you).

All from digitally signed container format in a single download called  drum roll please 


Don't take my scarcasm personally  I quite well know what you and everyone
else expect: compressed tar balls. You should be able to perceive that there
are most definitely reasons and features for deliberately choosing *.src.rpm
here @rpm5.org as a distribution format.

This *IS* RPM, and its not like *.src.rpm haven't been around for more
than a decade, and SRPM's are quite commonly used instead of tar balls by
most rpm based distros.

SRPM's also avoid the need for multiply compressed (and multiply signed)
tarballs. Of course that's just smoke-and-mirrors because there is a
decompressor buried in rpm2cpio.sh and you WILL need to supply
a decompressor of the appropriate persuasion (and @rpm5.org will not have
to serve up multiple tar balls in every possible compression format
just to try to please every one).

What _IS_ Newer! Better! Bestest! @rpm5.org is the "non-repudiable signature",
based on section 13.8.2, p582 in the "Handbook of Applied Cryptography"
(and its only 2 pages, won't hurt you a bit to understand what is being
attempted because it *is* your security that is being protected even if you
wish a naked tar ball as a distribution format).


73 de Jeff

> Thank you.
> ______________________________________________________________________
> RPM Package Manager                                    http://rpm5.org
> User Communication List                             rpm-users@rpm5.org
Received on Thu Jul 14 20:08:56 2011
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.