On Tue, Mar 14, 2023 at 10:14:33AM +0000, Daniel P. Berrangé wrote: > On Tue, Mar 14, 2023 at 06:12:33AM -0400, Andrea Bolognani wrote: > > On Tue, Mar 14, 2023 at 10:36:56AM +0100, Peter Krempa wrote: > > > The sources for new libvirt-ocaml releases are hosted via gitlab. Add > > > the link. Since old releases are not present there preserve also the old > > > link. > > ... > > > * - OCaml > > > - - `libvirt <https://download.libvirt.org/ocaml/>`__ > > > + - `gitlab <https://gitlab.com/libvirt/libvirt-ocaml/-/tags>`__ > > > + `libvirt (old versions) <https://download.libvirt.org/ocaml/>`__ > > > > Is the fact that no tarballs have been uploaded for the last few > > releases intentional, or an oversight? > > > > While I see tags for those releases in GitLab, in general git tags > > are not a replacement for proper release tarballs, which I'm not > > seeing anywhere on GitLab. > > Indeed, as was seen recently with github, the auto-generated tarballs > can change when the backend impl changes, which invalidate any hashes > vendors are using to validate tarballs. It is unwise to rely on the > auto-generated tarballs as the canonical release artifacts Not only that: you also miss all the stuff generated during the dist step, so the forge-generated tarballs are going to be unusable or at the very least require additional steps on the user's part. Plus no PGP signatures, which libvirt-ocaml seems to have finally started using recently. -- Andrea Bolognani / Red Hat / Virtualization
