https://bugzilla.redhat.com/show_bug.cgi?id=1231318 Mathieu Bridon <bochecha@xxxxxxxxxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bochecha@xxxxxxxxxxxxxxxxx --- Comment #10 from Mathieu Bridon <bochecha@xxxxxxxxxxxxxxxxx> --- > The guidelines even mention to use the release tarball: > > "If the upstream does create tarballs you should use them as tarballs provide an easier trail for people auditing the packages." Except upstream does not create release tarballs. That URL you are using is automatically generated by Github. Look at this project as an example: https://github.com/Cangjians/libcangjie/releases I'm upstream, and I created myself the libcangjie-%{version}.tar.gz files, which I uploaded to Github. But the "Source code (zip)" and "Source code (tar.gz)" links are automatically generated by Github. I know, because I never uploaded those files. :) In the case of your upstream, the only tarballs published are the automatically generated Github ones. As a result, Remi is correct, you should not use those URLs. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review