tor 2013-05-30 klockan 11:51 +0200 skrev Björn Esser: > > I'd say "NO WAY", because tags can be created/deleted/altered by anyone > having write-access to the repo. They are NOT explicitly meant to be > created-once-lasts-forever or points-to-same-commit-sha-forever, so > checking the tarball to be pristine might be close to impossible in the > future, if the tag will be altered pointing to an other commit or be > deleted. This may lead to FTBFS as well. An URL like this also _WILL_ > lead to conflicting names of source-tarballs, because it's only named to > the version and not to the app's name. Don't forget the naming > guidelines: "When naming a package, the name should match the upstream > tarball or project..." > > https://fedoraproject.org/wiki/Packaging:NamingGuidelines?rd=Packaging/NamingGuidelines#General_Naming > > So using the URL from the guidelines all will be fine, because it will > create a tarball named containing the projectname, version and the > definitive unique and forever-lasting commit-sha... Why is a tarball published on github less valuable than a tarball published anywhere else? Admittedly, as you say a tag in github can be removed and reapplied again on a different commit. However, a well behaving upstream will not do this. This is not something unique to github - the same can happen on a git server somewhere else and in svn and cvs too. Also a tarball published by upstream on a separate server can be replaced with a different one if upstream is not well behaved. If you do not accept the tarball generated from the github tag published on the github server, why would you accept any source tarball published anywhere? They both can be replaced at any time by a weirdly behaving upstream. And neither will be replaced by a well behaving one. Mattias
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
