On Tue, Apr 21, 2020 at 05:44:14PM +0200, Thorsten Leemhuis wrote: > Am 20.04.20 um 18:55 schrieb Don Zickus: > > On Sat, Apr 18, 2020 at 02:35:24PM +0200, Thorsten Leemhuis wrote: > >> Am 17.04.20 um 22:06 schrieb Thorsten Leemhuis: > >>> Am 17.04.20 um 20:55 schrieb Don Zickus: > >>>> Is there any other large concern with the new workflow? > >>> The more I think about this the more I dislike that we are not using > >>> official, pristine tarballs anymore. This "Source0 is a tarball > >>> generated from a git tree maintained outside of the Fedora infra and > >>> patched with buildscripts" IMHO violates the intention of the SourceURL > >>> part of the Fedora Packaging Guidelines that was put in place for good > >>> reasons (by both red hat and community contributors): > >>> https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ > > […] > > Thanks for the feedback! I believe we would like to work out a solution for > > this. […]> Signed tags could work, but they are only applied to releases, not the -rcX> updates. So there is limitation to that. > > > > Looking through the Fedora Doc you posted, they seem to provide examples of > > using a git commit for reference (despite kernel.org using tarballs). In > > essence that is what we are doing, using more of the upstream commit and > > generating our own tarball from that commit. > > > > Obviously, the problem comes down to trust. Just trying to figure out the > > most reasonable way to prove we didn't make any mistakes when generating the > > tarball using the tools we have available. > > > > Thoughts? > > This overlaps a bit with my reply I just sent to Jeremy ( > https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/PZ3ZCUL2WI7ECONM5HNE6QNZMKTO64VR/ > ), nevertheless: > > How about something like this: > > * For Source0 on Rawhide with its daily snapshots use something like this: > Source0: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-ae83d0b416db002fe95601e7f97f64b59514d936.tar.gz > (taken from > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ae83d0b416db002fe95601e7f97f64b59514d936 > > Use something like this everywhere else: > > Source0: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/snapshot/linux-5.6.6.tar.gz > > * For rawhide and its daily snapshots just trust what everyone can download at git.kernel.org. Everywhere else verify the signed tag in the %prep section of the spec file just like the packaging guidelines suggest: > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures Hi Knurd, Thanks for the suggestions! In order to make this merge happen and satisfy our goals in the timeframe my management chain was looking for, we hacked the Fedora and ARK trees together in a rather un-clean way. Implementing your suggested changes make take a little time to go through the spaghetti we created. Let me work with Jeremy and Justin about what is the best course of action. For now, I am tracking this issue as https://gitlab.com/cki-project/kernel-ark/-/issues/28 to not lose it. Does that work for you? Cheers, Don _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
