Le 24/06/2015 20:02, Gerald B. Cox a écrit :
but I don't believe mandating commit hash in all circumstances is the way to do it.
I think current Guideline is "clear" and doesn't need to be changed.
Please explain how you can check the sources used to build a package is the correct one ?
When upstream provides a tarball (usually because they run "make dist" to provide a usable archive), if they regenerate this tarball and reupload it, the checksum will change.
With TAG auto-generated archives, the checksum is not reliable.
As explained in the Guidelines :
"Keep in mind that github tarballs are generated on-demand, so their modification dates will vary and cause checksum tests to fail."
So again
"For a number of reasons (immutability, availability, uniqueness), you must use the full commit revision hash when referring to the sources."
Yes, there is a number of packages which doesn't respect this Guidelines and use tag/release archive (probably old packages). But there is also a number of packages which respect it.
And it is the role of the reviewer to check and explain this. Nothing complex. Enough examples in the wiki/repo to look at.
Remi.