On Sun, 22 Feb 2009 13:35:13 +0100, Ralf wrote: > > There still is the URL tag which can be used to search for [and verify!] > > new download locations during a "legal review". > > Yes, chasing URLs is the last resort. You can't be seriously wanting > this to be the norm? Not "the norm", but acceptable in all the cases where the originally working Source-URL no longer works. In particular, packagers and reviewers must visit upstream web sites and verify release-versions and download-locations manually anyway. They could simply run spectool, rely on the accuracy of the Source-URL, and download a tarball without visting web pages => but that would be sloppy. > >> and to prevent Fedora from being vulnerable from upstream dynamics > >> (low quality random snapshots, bugs, compromised upstreams, etc.) > > > > ?! A static Source-URL alone doesn't achieve that alone. > Right, but comparing tarballs against those found on URLs does. Not everything you mention above. - Well, occasionally it may find tarballs which have changed, but it cannot verify any of the exceptions covered by the Source URL Guidelines. Also, can you show some statistics about how often this leads to something beneficial (such as brown paper-bag bug-fixes)? | danms:BADSOURCE:libcmpiutil-0.4.tar.gz:libcmpiutil $ md5sum libcmpiutil-0.4.tar.gz 48132314c5cbeb87d1c9e561f1c86b2b libcmpiutil-0.4.tar.gz $ cat sources 7ee1bb889c25e8ddc3b099b34ef159a5 libcmpiutil-0.3.tar.gz 78ca0dbcde4b1ceba6677f1f2fa6a90f libcmpiutil-0.4.tar.gz diff -Nur libcmpiutil-0.4-orig/aclocal.m4 libcmpiutil-0.4-new/aclocal.m4 -# generated automatically by aclocal 1.10.1 -*- Autoconf -*- +# generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. [...] ...and so on. Both released on the same day. 2008-05-20. The newer one is an hour older. ;) Packager is upstream. [sf.net download urls] > The real purpose these days is to be able to compare an *.src.rpm's > sources against those to be found on the given URL. | MUST: The package must meet the Packaging Guidelines . | |-> https://fedoraproject.org/wiki/Packaging/Guidelines#tags |--> https://fedoraproject.org/wiki/Packaging/SourceURL |---> https://fedoraproject.org/wiki/Packaging/SourceURL#Sourceforge.net Fortunately, the current wording does not read like a strict MUST. It's a pain if reviewers insist on getting other sf.net urls fixed, and wget/curl/lftp cannot connect to the recommended url. In such a case, I'm willing to treat this guideline as "not mandatory" and put such urls in comments only. Rationale can be found in the main ReviewGuidelines: | MUST: The sources used to build the package must match the upstream | source, as provided in the spec URL. If "the spec URL" doesn't work, all that can be done is to choose from the remaining [and working!] download options, e.g. direct links to the mirrors. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
