Ensure we pull/build only released packages

[hhorak]

When using rhpkg downloader strategy, it is not clear what hash was used to already published build and which were not yet published (and what is more important, might contain some embargoed information). So, for rebuilding published RPMs (like RHSCL rebuilds for CentOS), it would be necessary to either:

• find out which hashes match the published builds
• or use SRPM repository that contains published RPMs only

[junaruga]

Maybe you want to prevent the package that is not published to be built on public build system such as Copr, right?

And

what hash was used to already published

hash?

Like this?
https://www.apache.org/dist/httpd/httpd-2.2.32.tar.gz.sha1

19e94b8c9e727cc16b75795814c5b0e27ebc08d5 *httpd-2.2.32.tar.gz

[junaruga]

or use SRPM repository that contains published RPMs only

Adding additonal download option to download SRPMs from repository. This looks easier to implement.

[junaruga]

@hhorak as we talked today, the solution is implementing below 2 new features.

• Adding download option to download SRPM.
• Output warning message "You may access public build service to build packages downloaded by rhpkg." if user is running RPM List Builder on below cases. Basically it is user's responsibility.
  • download: using rhpkg command (rhpkg option or custom option including rhpkg in custom YAML file) AND
  • build: using copr-cli or koji command (copr option or custom option including copr-cli or koji in custom YAML file).

[hhorak]

That looks good to me, thanks.