tor 2013-05-30 klockan 11:51 +0200 skrev Björn Esser:
I'd say "NO WAY", because tags can be created/deleted/altered by anyone
having write-access to the repo. They are NOT explicitly meant to be
created-once-lasts-forever or points-to-same-commit-sha-forever, so
checking the tarball to be pristine might be close to impossible in the
future, if the tag will be altered pointing to an other commit or be
deleted. This may lead to FTBFS as well. An URL like this also _WILL_
lead to conflicting names of source-tarballs, because it's only named to
the version and not to the app's name. Don't forget the naming
guidelines: "When naming a package, the name should match the upstream
tarball or project..."
https://fedoraproject.org/wiki/Packaging:NamingGuidelines?rd=Packaging/Na...
So using the URL from the guidelines all will be fine, because it will
create a tarball named containing the projectname, version and the
definitive unique and forever-lasting commit-sha...
Why is a tarball published on github less valuable than a tarball
published anywhere else?
Admittedly, as you say a tag in github can be removed and reapplied
again on a different commit. However, a well behaving upstream will not
do this. This is not something unique to github - the same can happen on
a git server somewhere else and in svn and cvs too. Also a tarball
published by upstream on a separate server can be replaced with a
different one if upstream is not well behaved. If you do not accept the
tarball generated from the github tag published on the github server,
why would you accept any source tarball published anywhere? They both
can be replaced at any time by a weirdly behaving upstream. And neither
will be replaced by a well behaving one.
Mattias