Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 902095

Summary: add Manifest information to /var/db/pkg/ to track exact source identities for builds
Product: Portage Development Reporter: Tom Gillespie <tgbugs>
Component: Enhancement/Feature RequestsAssignee: Portage team <dev-portage>
Status: UNCONFIRMED ---    
Severity: normal CC: gentoo, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=303403
Whiteboard:
Package list:
Runtime testing required: ---

Description Tom Gillespie 2023-03-18 22:02:05 UTC 
The checksums of the source code and other input files (e.g. patches) that were inputs to build a package are not currently tracked in /var/db/pkg/ entries.

While it is in principle possible to reconstruct this information by looking at the portage tree, that information can be lost or hard to find if packages were build long ago against an rsync tree or if a manifest was regenerated, e.g. due to events like the github source tarball checksum changes.

Therefore it would be nice to include the whole Manifest in the vdb, or ideally just the subset of Manifest entries that were actually used as inputs for the build.

This will make it possible to determine the original identities of the source files that were used without having to go on archaeological expeditions into old versions of the portage tree. This is valuable for tracking the source code provenance for packages.

For live ebuilds it is probably sufficient to record the commit they were built from (in addition to the manifest records for any patches that were applied).

A somewhat related issue https://bugs.gentoo.org/303403

Reproducible: Always