{"id":43170467,"url":"https://github.com/rocky-linux/srpmproc","last_synced_at":"2026-02-01T02:20:44.968Z","repository":{"id":38443151,"uuid":"358118351","full_name":"rocky-linux/srpmproc","owner":"rocky-linux","description":"Upstream package importer with auto patching","archived":false,"fork":false,"pushed_at":"2025-03-07T19:45:06.000Z","size":7113,"stargazers_count":25,"open_issues_count":8,"forks_count":15,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-03-07T20:31:55.844Z","etag":null,"topics":["hacktoberfest"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rocky-linux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-15T03:44:28.000Z","updated_at":"2024-12-11T00:37:48.000Z","dependencies_parsed_at":"2025-03-07T20:36:53.118Z","dependency_job_id":null,"html_url":"https://github.com/rocky-linux/srpmproc","commit_stats":null,"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/rocky-linux/srpmproc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rocky-linux%2Fsrpmproc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rocky-linux%2Fsrpmproc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rocky-linux%2Fsrpmproc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rocky-linux%2Fsrpmproc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rocky-linux","download_url":"https://codeload.github.com/rocky-linux/srpmproc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rocky-linux%2Fsrpmproc/sbom","scorecard":{"id":781995,"data":{"date":"2025-08-11","repo":{"name":"github.com/rocky-linux/srpmproc","commit":"f2f9d062caca4cc72f47816e70bd22f5b373ea6c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.9,"checks":[{"name":"Code-Review","score":3,"reason":"Found 6/16 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/go.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.6.4 not signed: https://api.github.com/repos/rocky-linux/srpmproc/releases/180201864","Warn: release artifact v0.6.3 not signed: https://api.github.com/repos/rocky-linux/srpmproc/releases/165234561","Warn: release artifact v0.6.2 not signed: https://api.github.com/repos/rocky-linux/srpmproc/releases/162151098","Warn: release artifact v0.6.1 not signed: https://api.github.com/repos/rocky-linux/srpmproc/releases/160381000","Warn: release artifact v0.6.0 not signed: https://api.github.com/repos/rocky-linux/srpmproc/releases/159796166","Warn: release artifact v0.6.4 does not have provenance: https://api.github.com/repos/rocky-linux/srpmproc/releases/180201864","Warn: release artifact v0.6.3 does not have provenance: https://api.github.com/repos/rocky-linux/srpmproc/releases/165234561","Warn: release artifact v0.6.2 does not have provenance: https://api.github.com/repos/rocky-linux/srpmproc/releases/162151098","Warn: release artifact v0.6.1 does not have provenance: https://api.github.com/repos/rocky-linux/srpmproc/releases/160381000","Warn: release artifact v0.6.0 does not have provenance: https://api.github.com/repos/rocky-linux/srpmproc/releases/159796166"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/rocky-linux/srpmproc/go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/rocky-linux/srpmproc/go.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/go.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/rocky-linux/srpmproc/go.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating golang:1.15.6-alpine to golang:1.15.6-alpine@sha256:f467abead5705eaeadc939ad11cfe85c73650349b8663aaf354f7a9d8f437132","Warn: containerImage not pinned by hash: Dockerfile:6: pin your Docker image by updating centos:8.3.2011 to centos:8.3.2011@sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1","Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 1 third-party GitHubAction dependencies pinned","Info: 0 out of 2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"11 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3754 / GHSA-2x5j-vhc8-9cwm","Warn: Project is vulnerable to: GO-2025-3367 / GHSA-r9px-m959-cxf4","Warn: Project is vulnerable to: GO-2025-3368 / GHSA-v725-9546-7q7m","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T05:07:13.364Z","repository_id":38443151,"created_at":"2025-08-23T05:07:13.364Z","updated_at":"2025-08-23T05:07:13.364Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28965147,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T02:14:24.993Z","status":"ssl_error","status_checked_at":"2026-02-01T02:13:55.706Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest"],"created_at":"2026-02-01T02:20:44.333Z","updated_at":"2026-02-01T02:20:44.959Z","avatar_url":"https://github.com/rocky-linux.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# srpmproc\nUpstream package importer with auto patching. Reference implementation for OpenPatch\n\n\u003e [!WARNING]\n\u003e The Go version of srpmproc is now deprecated. srpmproc v2 is currently at [peridotbuild/pv2](https://github.com/peridotbuild/pv2/tree/main/pv2/srpmproc) and is not backwards compatible.\n\n## Usage\n```\nUsage:\n srpmproc [flags]\n srpmproc [command]\n\nAvailable Commands:\n fetch \n help Help about any command\n\nFlags:\n --basic-password string Basic auth password\n --basic-username string Basic auth username\n --branch-prefix string Branch prefix (replaces import-branch-prefix) (default \"r\")\n --branch-suffix string Branch suffix to use for imported branches\n --cdn string CDN URL shortcuts for well-known distros, auto-assigns --cdn-url. Valid values: rocky8, rocky, fedora, centos, centos-stream. Setting this overrides --cdn-url\n --cdn-url string CDN URL to download blobs from. Simple URL follows default rocky/centos patterns. Can be customized using macros (see docs) (default \"https://git.centos.org/sources\")\n --git-committer-email string Email of committer (default \"rockyautomation@rockylinux.org\")\n --git-committer-name string Name of committer (default \"rockyautomation\")\n -h, --help help for srpmproc\n --import-branch-prefix string Import branch prefix (default \"c\")\n --manual-commits string Comma separated branch and commit list for packages with broken release tags (Format: BRANCH:HASH)\n --module-fallback-stream string Override fallback stream. Some module packages are published as collections and mostly use the same stream name, some of them deviate from the main stream\n --module-mode If enabled, imports a module instead of a package\n --module-prefix string Where to retrieve modules if exists. Only used when source-rpm is a git repo (default \"https://git.centos.org/modules\")\n --no-dup-mode If enabled, skips already imported tags\n --no-storage-download If enabled, blobs are always downloaded from upstream\n --no-storage-upload If enabled, blobs are not uploaded to blob storage\n --package-release string Package release to fetch\n --package-version string Package version to fetch\n --rpm-prefix string Where to retrieve SRPM content. Only used when source-rpm is not a local file (default \"https://git.centos.org/rpms\")\n --single-tag string If set, only this tag is imported\n --source-rpm string Location of RPM to process\n --ssh-key-location string Location of the SSH key to use to authenticate against upstream\n --ssh-user string SSH User (default \"git\")\n --storage-addr string Bucket to use as blob storage\n --strict-branch-mode If enabled, only branches with the calculated name are imported and not prefix only\n --taglessmode Tagless mode: If set, pull the latest commit from the branch and determine version numbers from spec file. This is auto-tried if tags aren't found.\n --tmpfs-mode string If set, packages are imported to path and patched but not pushed\n --upstream-prefix string Upstream git repository prefix\n --version int Upstream version\n\nUse \"srpmproc [command] --help\" for more information about a command.\n```\n\n\u003cbr /\u003e\n\n## Examples:\n\n1. Import the kernel package from git.centos.org/rpms/, to local folder /opt/gitroot/rpms/kernel.git/ . Download the lookaside source tarballs from the default CentOS file server location to local folder `/opt/fake_s3/` . We want to grab branch \"c8\" (import prefix plus RHEL version), and it will be committed as branch \"r8\" (branch prefix plus RHEL version). This assumes that `/opt/fake_s3` exists, and `/opt/gitroot/rpms/kernel.git` exists and is a git repository of some kind (even an empty one).\n\n```\nsrpmproc --branch-prefix \"r\" --import-branch-prefix \"c\" --rpm-prefix \"https://git.centos.org/rpms\" --version 8 --storage-addr file:///opt/fake_s3 --upstream-prefix file:///opt/gitroot --cdn centos --strict-branch-mode --source-rpm kernel\n```\n\n\u003cbr /\u003e\n\n## CDN and --cdn-url\nThe --cdn-url option allows for Go-style templates to craft complex URL patterns. These templates are: `{{.Name}}` (package name), `{{.Hash}}` (hash of lookaside file), `{{.Hashtype}}` (hash type of file, like \"sha256\" or \"sha512\"), `{{.Branch}}` (the branch we are importing), and `{{.Filename}}` (the lookaside file's name as it appears in SOURCES/). You can add these values as part of --cdn-url to craft your lookaside pattern.\n\n\nFor example, if I wanted my lookaside downloads to come from CentOS 9 Stream, I would use as part of my command:\n```\n--cdn-url \"https://sources.stream.centos.org/sources/rpms/{{.Name}}/{{.Filename}}/{{.Hashtype}}/{{.Hash}}/{{.Filename}}\"\n```\n\n\n**Default Behavior:** If these templates are not used, the default behavior of `--cdn-url` is to fall back on the traditional RHEL import pattern: `\u003cCDN_URL\u003e/\u003cNAME\u003e/\u003cBRANCH\u003e/\u003cHASH\u003e` . If that fails, a further fallback is attempted, the simple: `\u003cCDN_URL\u003e/\u003cHASH\u003e`. These cover the common Rocky Linux and RHEL/CentOS imports if the base lookaside URL is the only thing given. If no `--cdn-url` is specified, it defaults to \"https://git.centos.org/sources\" (for RHEL imports into Rocky Linux)\n\n\n**CDN Shorthand:** For convenience, some lookaside patterns for popular distros are provided via the `--cdn` option. You can specify this without needing to use the longer `--cdn-url`. For example, when importing from CentOS 9 Stream, you could use `--cdn centos-stream`\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frocky-linux%2Fsrpmproc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frocky-linux%2Fsrpmproc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frocky-linux%2Fsrpmproc/lists"}