Tom Lane wrote:
Kevin Fenzi <kevin@xxxxxxxxx> writes:
Here's attached another run of my sources/patches url checker.
I've got several failures in this list, which reminds me that there's a
pretty serious problem with the entire concept of source URL as defined at
https://fedoraproject.org/wiki/Packaging/SourceURL
Namely, that it assumes there's a nice static URL for you to point at.
Right.
I don't know what an appropriate set of rules is, but I wish that the
Source-URL packaging guidelines bore some resemblance to the real world
of modern web design. (Or misdesign, perhaps, but that's what's out
there.) The special exception for sourceforge needs to be replaced
with some more general discussion of what to do with bizarre website
layouts.
The whole point behind Source-URL rules is to have a reliable,
deterministic URL from which a package can be retrieved from for e.g.
verification (e.g checksum), legal reviews, tracking origins of packages
etc. and to prevent Fedora from being vulnerable from upstream dynamics
(low quality random snapshots, bugs, compromised upstreams, etc.)
That said, the sourceforge rule is a "best practice's hint" to _prevent_
users from populating source-urls with one of sourceforge's mirror.
<cite>
For packages hosted on sourceforge, use
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
changing ".tar.gz" to whatever matches the upstream distribution. Note
that we are using downloads.sourceforge.net instead of an arbitrarily
chosen mirror.
</cite>
=> There is no sourceforge exception. It's converse: We explicitly
advise users to a static URL.
Ralf
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
