Michael Schwendt wrote:
On Sun, 22 Feb 2009 07:37:28 +0100, Ralf wrote:
The whole point behind Source-URL rules is to have a reliable,
Making a Source-URL reliable is not the package maintainer's
responsibility. All that matters is that the URL works during a package
review request and at least does not give a 40x error. As some upstream
projects like to change their web page directory structure from time to
time, it can happen that download locations change, too. Rebuilding
tarballs is done by some projects, too, for minor/subtle fixes even
in readme files.
deterministic URL from which a package can be retrieved from for e.g.
verification (e.g checksum), legal reviews, tracking origins of packages
etc.
How often that does happen?
More often than you think.
You only don't see such issues showing effect, because our policy is
such kind of restrictive. Upstreams are moving between hosts, upstreams
are replacing tarballs, upstream sites are being compromised, ...
There still is the URL tag which can be used to search for [and verify!]
new download locations during a "legal review".
Yes, chasing URLs is the last resort. You can't be seriously wanting
this to be the norm?
and to prevent Fedora from being vulnerable from upstream dynamics
(low quality random snapshots, bugs, compromised upstreams, etc.)
?! A static Source-URL alone doesn't achieve that alone.
Right, but comparing tarballs against those found on URLs does.
That said, the sourceforge rule is a "best practice's hint" to _prevent_
users from populating source-urls with one of sourceforge's mirror.
Historically, its goal has been a different one:
Avoiding that packagers point to the interactive mirror-selection web page
at SF.net.
Well, yes, this also has been part of the motivation, but not the sole
purpose.
The real purpose these days is to be able to compare an *.src.rpm's
sources against those to be found on the given URL.
Reviewers [still] prefer wget/curl-compatible download locations,
lftp, as far as I am concerned. Historically, I had found wget/curl to
be too unreliable ;)
<cite>
For packages hosted on sourceforge, use
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
changing ".tar.gz" to whatever matches the upstream distribution. Note
that we are using downloads.sourceforge.net instead of an arbitrarily
chosen mirror.
</cite>
This has been found to "work most of the time" (while older ones like
dl.sf.net stopped being reliable), but it's not bullet-proof either.
Right, nevertheless it's a static URL and not that of an arbitrary
mirror which might change every now and then.
Ralf
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
