Re: Source URL guidelines (was Re: source file audit - 2009-02-15)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Schwendt wrote:

On Sun, 22 Feb 2009 13:35:13 +0100, Ralf wrote:


There still is the URL tag which can be used to search for [and verify!]
new download locations during a "legal review".
Yes, chasing URLs is the last resort. You can't be seriously wanting this to be the norm? 

Not "the norm", but acceptable in all the cases where the originally
working Source-URL no longer works.
If a source-url doesn't work, the packager should update the URL and respin the package 



In particular, packagers and reviewers must visit upstream web sites
and verify release-versions and download-locations manually anyway.
Right, as well as arbitrary people, who are investigating bugs, people want to reuse a package etc.
and to prevent Fedora from being vulnerable from upstream dynamics (low quality random snapshots, bugs, compromised upstreams, etc.) 
?!  A static Source-URL alone doesn't achieve that alone.

Right, but comparing tarballs against those found on URLs does.


Not everything you mention above. - Well, occasionally it may find
tarballs which have changed, but it cannot verify any of the exceptions
covered by the Source URL Guidelines.

Please Michael, you are beginning to sound laughable.

A broken URL is a _hint_ that something might be in limbo.

A URL alone doesn't buy you anything.



| danms:BADSOURCE:libcmpiutil-0.4.tar.gz:libcmpiutil
$ md5sum libcmpiutil-0.4.tar.gz 48132314c5cbeb87d1c9e561f1c86b2b libcmpiutil-0.4.tar.gz
$ cat sources 7ee1bb889c25e8ddc3b099b34ef159a5 libcmpiutil-0.3.tar.gz 
78ca0dbcde4b1ceba6677f1f2fa6a90f  libcmpiutil-0.4.tar.gz

diff -Nur libcmpiutil-0.4-orig/aclocal.m4 libcmpiutil-0.4-new/aclocal.m4
-# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.10 -*- Autoconf -*-
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 
-# 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
+# 2005, 2006  Free Software Foundation, Inc.
[...]

...and so on. Both released on the same day. 2008-05-20. The newer one
is an hour older. ;) Packager is upstream.

Packager is doing a bad job.
Fortunately, the current wording does not read like a strict MUST. 
Have you been to a beginners seminar of "rhetoric tricks"?

The wording has always intended to be a must.

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux