On 24. 06. 21 23:07, Miroslav Suchý wrote:
Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a):
One thing to consider is that the upstream tarballs might be cryptographically
signed and packages should verify the signature in %prep.
This is a very good point - in such a case, we should always pull the
official upstream tarball instead of generating a new one downstream
Does it matter? If you are able to generate byte2byte identical tarball then
you can choose any of them.
AFAIK git does not grantee to produce byte2byte identical archives across
different versions of git, zlib, gzip etc. So even if upstream signs the git
generated archive, generating a byte2byte identical one might be tricky.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure