Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 902095 - add Manifest information to /var/db/pkg/ to track exact source identities for builds
Summary: add Manifest information to /var/db/pkg/ to track exact source identities for...
Status: UNCONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Enhancement/Feature Requests (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-18 22:02 UTC by Tom Gillespie
Modified: 2023-03-20 18:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Gillespie 2023-03-18 22:02:05 UTC 
The checksums of the source code and other input files (e.g. patches) that were inputs to build a package are not currently tracked in /var/db/pkg/ entries.

While it is in principle possible to reconstruct this information by looking at the portage tree, that information can be lost or hard to find if packages were build long ago against an rsync tree or if a manifest was regenerated, e.g. due to events like the github source tarball checksum changes.

Therefore it would be nice to include the whole Manifest in the vdb, or ideally just the subset of Manifest entries that were actually used as inputs for the build.

This will make it possible to determine the original identities of the source files that were used without having to go on archaeological expeditions into old versions of the portage tree. This is valuable for tracking the source code provenance for packages.

For live ebuilds it is probably sufficient to record the commit they were built from (in addition to the manifest records for any patches that were applied).

A somewhat related issue https://bugs.gentoo.org/303403

Reproducible: Always