On Thu, Jun 24, 2021, at 5:22 PM, Miro Hrončok wrote: > On 24. 06. 21 23:07, Miroslav Suchý wrote: > > Dne 24. 06. 21 v 15:48 Tomas Tomecek napsal(a): > >>> One thing to consider is that the upstream tarballs might be cryptographically > >>> signed and packages should verify the signature in %prep. > >> This is a very good point - in such a case, we should always pull the > >> official upstream tarball instead of generating a new one downstream > > > > Does it matter? If you are able to generate byte2byte identical tarball then > > you can choose any of them. > > AFAIK git does not grantee to produce byte2byte identical archives across > different versions of git, zlib, gzip etc. So even if upstream signs the git > generated archive, generating a byte2byte identical one might be tricky. See also https://github.com/cgwalters/git-evtag _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
