Le 24/06/2015 20:02, Gerald B. Cox a écrit : > but I don't believe mandating > commit hash in all circumstances is the way to do it. I think current Guideline is "clear" and doesn't need to be changed. Please explain how you can check the sources used to build a package is the correct one ? When upstream provides a tarball (usually because they run "make dist" to provide a usable archive), if they regenerate this tarball and reupload it, the checksum will change. With TAG auto-generated archives, the checksum is not reliable. As explained in the Guidelines : "Keep in mind that github tarballs are generated on-demand, so their modification dates will vary and cause checksum tests to fail." So again "For a number of reasons (immutability, availability, uniqueness), you must use the full commit revision hash when referring to the sources." Yes, there is a number of packages which doesn't respect this Guidelines and use tag/release archive (probably old packages). But there is also a number of packages which respect it. And it is the role of the reviewer to check and explain this. Nothing complex. Enough examples in the wiki/repo to look at. Remi. -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
