The aim is to have reproducible builds. Everyone must be able to build the package on his computer and be sure of what it contains. It's a fundamental stone in a distributed developers community.
It's a good habit to bound any released RPM to an online document that describes what the RPM ships because the builtin package changelog is not enough.
The online document is actually an issue on NethServer/dev github repository, that
- keeps them public,
- assign an unique number,
- tracks code commits and pull requests
- ease code-review workflow
We use a two-way referencing to create this bound
- write the issue number in the RPM changelog
- write the full package file name in the issue
Package in testing stage have the git commit number in their name to allow reproducible RPM builds.
Released packages have a corresponding git tag in source code repository to allow reproducible RPM builds.