https://bugzilla.redhat.com/show_bug.cgi?id=1173773 --- Comment #18 from Adam Williamson (Fedora) <adamw+fedora@xxxxxxxxxxxxxxxxx> --- Well, pants, now I find the references for this stuff: https://fedorahosted.org/fpc/ticket/252 https://fedorahosted.org/fpc/ticket/233 https://fedorahosted.org/fpc/ticket/233#comment:9 which suggest the intent really *is* 'don't ever use github-generated tarballs from tags', the justification being that "Yes, the problem is that what commit a version points to can change while a commitid can't change. So if you want to download the same tarball you can't use a version." Since the guideline was drafted github invented the 'Releases' workflow, which is really just a bit of extra metadata on top of a tag AFAICT. The guideline also don't seem to have taken into account the difference between lightweight and annotated tags, because - as discussed in the thread I referred to earlier, https://lists.fedoraproject.org/pipermail/packaging/2014-September/010288.html - 'parse-rev' doesn't give you a commit ID for an annotated tag, it gives you the tag object's ID. But neither of those makes a difference to that justification (or the file mtime justification). I just checked and you can edit both annotated tags and github 'Releases' after creating them, so neither is immutable. And github still generates the tarballs on the fly, so they have their mtime set to whenever you download them. I'm probably not willing to get up on the horse and challenge the 'tags are mutable' rationale for not allowing github-generated tag tarballs, so I'll respect the apparent intent of the existing guideline and switch to a commit-based tarball (grmph). The wording about "If the upstream does create tarballs you should use them", when read in context in #233, appears to have been added by Toshio as he was worried the guideline would be read as applying to *any project hosted in github* even if it maintained a release archive with curated tarballs. I suppose the guideline still needs updating to provide a correct command for finding the commit ID for annotated tags, and perhaps to clarify this stuff since we (or at least I...) seem to keep tripping over it. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review