https://bugzilla.redhat.com/show_bug.cgi?id=1231318 --- Comment #12 from Mathieu Bridon <bochecha@xxxxxxxxxxxxxxxxx> --- (In reply to Michael Cronenworth from comment #11) > (In reply to Mathieu Bridon from comment #10) > > As a result, Remi is correct, you should not use those URLs. > > Bring it up with FPC to change it then. Well no, the guidelines are entirely correct. > Github provides a mechanism to create tarballs on demand, either from a > specific commit revision, or from a specific tag. If the upstream does > not create tarballs for releases, you can use this mechanism to produce > them. If the upstream does create tarballs you should use them as > tarballs provide an easier trail for people auditing the packages. In this case, upstream does not produce tarballs. > For a number of reasons (immutability, availability, uniqueness), you > must use the full commit revision hash when referring to the sources. This is what Remi told you: if you use the automatically generated tarballs, you must not use the git tag in the URL, you must instead use the full commit hash. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review