On Wed, 24 Aug 2011 07:23:30 -0700 Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > On Wed, Aug 24, 2011 at 08:45:20AM -0400, James Laska wrote: > > > < Location: > > > https://raw.github.com/dougsland/nagios-plugins-rhev/master/nagios-plugins-rhev-1.0.0.tar.gz > > Side comment to your main issue: How is this tarball being > generated? I see in the review request that the md5sum of the file > at that URL has changed over time. If it's just the upstream not > officially releasing this tarball until the Fedora RPM is out and > therefore making changes to the tarball to address review criteria > it's not standard practice but okay. If the tarball is going to > continue to evolve with this same name after the Fedora RPM is > reviewed, then it's probably better to generate a git snapshot. > > The aim is to make things reproducible. If we can't count on getting > the same tarball once the rpm is built, we'd rather have instructions > on making a snapshot that has a revision id that we can count on > pulling to get the same set of files at a later date. I've done a few reviews on github packages. Even if you download a stable tag tarball from the project in github (which in theory should be equivalent to using a stable release tarball), it turns out that the checksums might not match a few days after. I think github caches the tarballs it generates for a few days, so if you grab the same tarball repeatedly, you'll get the same md5sum. If you wait a longer time, you will get a different result. But even though the md5sums won't match, the contents will still be the same. -- Jussi Lehtola Fedora Project Contributor jussilehtola@xxxxxxxxxxxxxxxxx -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
