2010/7/16 Mattias Ellert <mattias.ellert@xxxxxxxxxxxx>: > fre 2010-07-16 klockan 18:26 +0800 skrev Chen Lei: > >> I think using git repo for meego packages have more >> harm than benefit, because the most important feature for rpm is >> people can validate the md5sum of the source tarball easily. Unless >> special case we can't find a way to get reliable souce tarballs, I >> think it's better to use tarballs rather than get source files from >> VCS. > > This is not a valid argument. The guidelines specify how to document in > the specfile how to reproduce a source tarball created from VCS. The > reviewer in order to verify the source recreates the source using the > given specification and compares his created copy with the one in the > SRPM. I agree that this comparison would normally have to be done using > diff -r rather than md5sum due to timestamps of directories and > differences in user and group assignments of the checked out files, but > the verification is still possible and valid. >Mattias Yes, it's no wrong to pull source from VCS, we can compare source files using diff -r, but it's not as easy as checking md5sum. Meego project have dozens of specific packages, it's not convenient to check source files for so many packages, also there are some packages don't have proper tags in meego VCS. Meego repo is a reliable place to get source and also the upstream, we don't have any security problem when using source files from upstream repo. If we have a easy way to get source files why we still use a hard way. Regrads, Chen Lei -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel