On Wed, 29 Jun 2011 12:59:41 +0530 (IST), PJP (P) wrote:
One of the package review guideline says
===
MUST: The sources used to build the package must match the
upstream source, as provided in the spec URL. Reviewers should use
md5sum for this task.
===
It says more than that:
| If no upstream URL can be specified for this package, please see the
| Source URL Guidelines for how to deal with this.
->
https://fedoraproject.org/wiki/Packaging/SourceURL
->
https://fedoraproject.org/wiki/Packaging/SourceURL#Using_Revision_Control
That is the guideline that's releveant.
Past couple of days, I've been reviewing the python grapefruit
package
at -
https://bugzilla.redhat.com/show_bug.cgi?id=716808
and the thing is, the spec file provides an - $ svn export -r 31 ... - command to pull
the sources and create a tarball using $ tar -czvf ...
But as it turns out, it seems, if you create a tarball from the *very same* sources on
two different machines, they don't match. As in the md5sum for the two tarball
differs.
Examine whether the uncompressed tarball differs already due to file
timestamps or file system differences. A simple md5sum isn't helpful in
that case. You would verify an svn snapshot tarball with a full tree diff,
possibly deleting the revision control maintenance directories beforehand.