You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(packaging): tilde-encode pre-release versions so RPM/DEB upgrades work (#588)
Releases rc.3 through rc.8 stripped the pre-release suffix (${VERSION%%-*}),
so every RC built the same NVR openwatch-0.2.0-1 — dnf reported the next RC as
'already installed' and never upgraded. The DEB used a hyphen revision
(0.2.0-rc.8), which orders RCs but sorts ABOVE 0.2.0, so GA would never
supersede an RC.
Encode pre-releases with a tilde instead (0.2.0~rc.8), which sorts below GA and
distinguishes RCs (verified via rpm.vercmp and dpkg --compare-versions). Add
Epoch 1 (RPM Epoch:, DEB 1: prefix) so an upgrade from the already-published
bare-0.2.0 installs is not seen as a downgrade — proven in a rockylinux:9
container: the published rc.7 (0:0.2.0-1) upgrades cleanly to 1:0.2.0~rc.8-1.
Build the binary with the full semver so 'openwatch --version' still reports
0.2.0-rc.8.
Spec release-package-build v1.1.0 (C-12/AC-21) + a source-inspection regression
test. Install-guide examples updated to the tilde filenames.
Copy file name to clipboardExpand all lines: specs/release/package-build.spec.yaml
+28-1Lines changed: 28 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
spec:
2
2
id: release-package-build
3
3
title: Native RPM and DEB packaging
4
-
version: "1.0.0"
4
+
version: "1.1.0"
5
5
status: approved
6
6
tier: 2
7
7
@@ -106,6 +106,22 @@ spec:
106
106
per install). openssl MUST be a package dependency.
107
107
type: security
108
108
enforcement: error
109
+
- id: C-12
110
+
description: >
111
+
A pre-release VERSION (one carrying a hyphen suffix such as
112
+
0.2.0-rc.8) MUST be encoded in both packages with a tilde, never by
113
+
stripping the suffix: the RPM Version and the DEB upstream version MUST
114
+
be 0.2.0~rc.8. The tilde sorts a pre-release BELOW the final release
115
+
(0.2.0~rc.8 < 0.2.0) so GA cleanly supersedes it, and distinguishes RCs
116
+
from each other (stripping collapsed every RC to the same NVR, so dnf
117
+
reported the next RC as already installed). Because releases rc.3..rc.8
118
+
shipped with the suffix stripped (bare 0.2.0, Epoch 0 / no epoch), both
119
+
packages MUST carry Epoch 1 (RPM Epoch:, DEB version prefix 1:) so an
120
+
upgrade from those mis-versioned installs is not seen as a downgrade.
121
+
The embedded binary MUST still report the true semver (0.2.0-rc.8), not
122
+
the tilde form. Source-inspection enforces (AC-21).
123
+
type: technical
124
+
enforcement: error
109
125
110
126
acceptance_criteria:
111
127
- id: AC-01
@@ -186,3 +202,14 @@ spec:
186
202
description: The package payloads ship the empty /etc/openwatch/keys directory and the provisioning helper at /usr/lib/openwatch/, but do NOT contain jwt_private.pem or credential.key (verified via rpm -qpl and dpkg-deb -c — the keys are generated per-install, never packaged).
187
203
priority: critical
188
204
references_constraints: [C-11]
205
+
- id: AC-21
206
+
description: >-
207
+
Source-inspection of the build scripts and RPM spec — build-rpm.sh
208
+
encodes the version with a tilde (it must NOT strip the suffix via the
0 commit comments