How do I get rpmbuild to download all of the sources for a particular .spec?

Asked 16/10, 2015 at 18:39 Answered 22/8, 2018 at 23:49

I am adding some sources to an existing rpm .spec file by URL and don't have them downloaded yet. Is there a way to get rpmbuild to download the sources rather than doing it manually?

Ursulina answered 16/10, 2015 at 18:39 Comment(0)

The spectool utility from the rpmdevtools package can do this. Just install rpmdevtools and point spectools at the .spec like so:

spectool -g -R SPECS/nginx.spec

It will download any missing sources into rpm's %{_sourcedir} (usually SOURCES) directory.

Ursulina answered 16/10, 2015 at 18:41 Comment(6)

I can't find which rpm contains spectool in SUSE. – Hausmann 23/3, 2016 at 10:37

Is it not simply 'spectool' build.opensuse.org/package/show/devel:tools/spectool – Ursulina 23/3, 2016 at 13:56

As I wanted to know what the flags mean: "-g, --gf, --get-files gets the sources/patches that are listed with a URL; -R, --sourcedir download into rpm's %{_sourcedir}" – Scotism 30/6, 2017 at 20:33

@Hausmann Try yum whatprovides "*bin/spectool" – Cheesy 9/8, 2017 at 14:0

For SUSE: software.opensuse.org/… – Hawsehole 16/2, 2019 at 21:30

As @Scotism pointed out, spectool downloads files into the %{_sourcedir} directory. If you want to know where that is on your own system, you can evaluate it using rpm --eval "%{_sourcedir}". I happen to use this for all sorts of things recently and found it pretty useful to share. – Countersubject 3/2, 2021 at 14:2

For posterity, there is another way to do it, which does not need any additional tools or downloads:

rpmbuild --undefine=_disable_source_fetch -ba /path/to/your.spec

Downloading sources automatically is forbidden by default because RPM lacks built-in integrity checks for the source archives. The network has to be trusted, and any checksums and signatures checked. This restriction makes sense for package maintainers, as they are responsible for shipping trusted code.

However, when you know what you are doing and understand the risks, you may just forcibly lift the restriction.

Reach answered 11/9, 2017 at 10:49 Comment(1)

rpmbuild --undefine=_disable_source_fetch --define '_sourcedir .' -ba *.spec finally. – Luckett 26/7, 2021 at 10:5

In the spec file, you can place %undefine _disable_source_fetch anywhere before the source URL.

For security purposes, you should also specify the sha256sum, and check it in the %prep section prior to setup.

Here is a working example:

Name:       monit
Version:    5.25.1
Release:    1%{?dist}
Summary:    Monitoring utility for unix systems

Group:      Applications/System
License:    GNU AFFERO GENERAL PUBLIC LICENSE version 3
URL:        https://mmonit.com/monit/
%undefine _disable_source_fetch
Source0:    https://mmonit.com/monit/dist/%name-%version.tar.gz
%define     SHA256SUM0 4b5c25ceb10825f1e5404f1d8a7b21507716b82bc20c3586f86603691c3b81bc

%define debug_package %nil

BuildRequires:  coreutils

%description
Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance
and repair and can execute meaningful causal actions in error situations.

%prep
echo "%SHA256SUM0  %SOURCE0" | sha256sum -c -
%setup -q

...

Credits

@YaroslavFedevych for undefine _disable_source_fetch.

Tint answered 13/1, 2018 at 11:48 Comment(5)

I tried doing all of this, but I am still not getting RPM to download the tarball from the url. Instead, it tries to use the /usr/src/packages/SOURCES/%name-%version.tar.gz file. FYI I am using the 4.4.2.3 rpmbuild version – Magnet 19/8, 2019 at 10:0

I have just tested on another environment that has rpmbuild 4.12.0.1 and everything worked perfectly (even without the %undefine and %define lines). If it can help others, I found out that download of sources from url instead of using SOURCES/ has been introduced since 4.4.6 redhat.com/archives/rpm-list/2007-December/msg00003.html – Magnet 19/8, 2019 at 12:10

I found 4.11.3 does not honor the %undefine _disable_source_fetch directive. However, you can still use it on the command line as @Yaroslav mentioned. But @Tint kudos for the SHA checksum code... great idea even if the tarball is already in the SOURCES directory. – Mori 11/2, 2020 at 20:12

Note that there's a typo in the validation code: There must be two spaces between %SHA256SUM0 and %SOURCE0, not just one space. – Unification 24/4, 2020 at 23:56

@Unification Works for me, but I'll take your word for it that that's the case for you. Updated, thanks. – Tint 25/4, 2020 at 0:57

If you are getting sources from a (git) hosting service (github, etc..) there is support for automatically checking it out already built-in, when combined with _disable_source_fetch...

https://fedoraproject.org/wiki/Packaging:SourceURL

For example, for a specific githash from github:

%global commit 40-CHARACTER-HASH-VALUE
%global shortcommit %(c=%{commit}; echo ${c:0:7})
Source0:  https://github.com/OWNER/PROJECT/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
...
%prep
%autosetup -n PROJECT-%{commit}

Emulsoid answered 22/8, 2018 at 23:49 Comment(0)

Recommended topics

Hot tags