On Tue, Apr 21, 2020 at 05:23:47PM +0200, Thorsten Leemhuis wrote: > Lo! > > Am 20.04.20 um 16:41 schrieb Jeremy Cline: > > On Fri, Apr 17, 2020 at 10:06:02PM +0200, Thorsten Leemhuis wrote: > >> Am 17.04.20 um 20:55 schrieb Don Zickus: > > […] > >>> Is there any other large concern with the new workflow? > >> The more I think about this the more I dislike that we are not using > >> official, pristine tarballs anymore. This "Source0 is a tarball > >> generated from a git tree maintained outside of the Fedora infra and > >> patched with buildscripts" IMHO violates the intention of the SourceURL > >> part of the Fedora Packaging Guidelines that was put in place for good > >> reasons (by both red hat and community contributors): > >> https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ > > > > It sounds like maybe there's confusion about what the new tarball > > contains. > > Yes, there… > > > The tarballs that are generated and checked into dist-git contain no > > Fedora modifications and are directly from a commit or tag Linus's git > > tree generated with git-archive[0]. > > …indeed was. I apologize for getting this wrong. Just one suggestion in > that case: > > > The only thing that changed is > > before we took the latest tagged release, then applied an rc patch from > > upstream if available, then the snapshot from that week's development as > > a patch generated on the maintainer's machine, then applied > > Fedora-specific patches. Now we just git-archive Linus's master branch > > for the day. > > Can't we make that clearer by using something like this? > > Source0: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-ae83d0b416db002fe95601e7f97f64b59514d936.tar.gz > > That was for 5.7-rc2 and makes it obvious where I can download this from > if I do not trust the contents of the SRPM. And/or a comment right > before the Source0 line that explains the situation for ordinary people > might be good enough (yes, there is one, but it's hard to understand). > I lean towards a clearer comment. If we change the actual Source0 we have to stop xz-compressing the tarball and change the naming scheme to line up with the URL naming format. > > We can download the tarball (created by git-archive on a signed tag) > > from kernel.org instead of running git-archive on a signed tag > > ourselves if that will really help people sleep at night, but we'll > > still be slapping unsigned snapshots on top of that so it's not clear to > > me that we'll be gaining much. > > Yeah, you definitely have a point for rawhide. But once this scheme is > used for stable releases it's a bit different, as there the base will > normally have signed tag. > We've not actually got any machinery for stable releases yet so I think we can take that into account when we do that. - Jeremy _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
