Dne 25.6.2015 v 07:05 Remi Collet napsal(a):
Le 24/06/2015 20:02, Gerald B. Cox a écrit :
but I don't believe mandating commit hash in all circumstances is the way to do it.
I think current Guideline is "clear" and doesn't need to be changed.
Please explain how you can check the sources used to build a package is the correct one ?
When upstream provides a tarball (usually because they run "make dist" to provide a usable archive), if they regenerate this tarball and reupload it, the checksum will change.
So now you have new checksum, but in dist-git, there is probably already uploaded tarball of the same name with different checksum and now you don't know what happened.
Also, not git expert, but I believe that if I force the Git repository, the hash might be completely missing next time. Not sure what the hash recorded in .spec file will help you.
So as for me, I am using and supporting the approach Gerald is proposing, because I believe it works in 99,9% of cases and it is intuitive and simple, which I cannot say about the current guidelines.
Vít
With TAG auto-generated archives, the checksum is not reliable.
As explained in the Guidelines :
"Keep in mind that github tarballs are generated on-demand, so their modification dates will vary and cause checksum tests to fail."
So again
"For a number of reasons (immutability, availability, uniqueness), you must use the full commit revision hash when referring to the sources."
Yes, there is a number of packages which doesn't respect this Guidelines and use tag/release archive (probably old packages). But there is also a number of packages which respect it.
And it is the role of the reviewer to check and explain this. Nothing complex. Enough examples in the wiki/repo to look at.
Remi.
-- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging