Re: Is it possible to upload new sources of a package from a URL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Dne 3.10.2017 v 08:21 Vít Ondruch napsal(a):
>
> Dne 2.10.2017 v 22:31 Hedayat Vatankhah napsal(a):
>> /*Björn Persson*/ wrote on Mon, 2 Oct 2017 16:28:02 +0200:
>>> Dennis Gilmore <dennis@xxxxxxxx> wrote:
>>>> Today We rely on you as a packager
>>>> verifying the sources, and by uploading them directly you are saying
>>>> this is really what I intended to send you and I have ensured that it
>>>> is good.  You would need to work with release engineering and
>>>> infrastucture to come up with some way to sign off on the code being
>>>> used.
>>> Like maybe writing a hash of the tarball in the sources file (with some
>>> help from fedpkg perhaps) and checking that in? Then a server in the
>>> Fedora Project infrastructure could fetch the tarball from the Source
>>> URL in the spec and verify that it matches the hash.
>> I think it should work & it should be easy enough.
>>
>> Also, instead of 'pulling down from random machines', it'd be enough
>> if it is not a random machine, but packager's fedorapeople space. It'd
>> be enough if there is a way to upload sources from there (and possibly
>> remove them automatically after that).
> If the sources were downloaded from somewhere, then it should be the
> SourceX URL, nothing else makes sense IMHO. I know that you can create
> the source archive by yourself for various reasons, but that should be
> exception, not the rule ...
>
>
> Vít

Actually, just submitting rebase PR in Pagure dist-git, this should be
implemented although from completely different reasons. Let me explain.

If I submit my PR there are two scenarios:

1) I don't upload the sources myself, the package will become FTBFS
after the merge, since it won't find the sources

2) I upload the sources, but a) the PR never gets merged. This is waste
of resources if nothing else, but b) the sources contains something
inappropriate (we try to encourage everybody to submit PR, no matter on
experiences etc, right?), now we have the sources in cache and they need
to be expelled manually ...

Actually has the submitter always the right to upload the sources? Dunno
....

Based on this, I think this should be reconsidered.


Vít
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux