Dne 25.6.2015 v 07:05 Remi Collet napsal(a): > Le 24/06/2015 20:02, Gerald B. Cox a écrit : > >> but I don't believe mandating >> commit hash in all circumstances is the way to do it. > I think current Guideline is "clear" and doesn't need to be changed. > > Please explain how you can check the sources used to build a package is > the correct one ? > > When upstream provides a tarball (usually because they run "make dist" > to provide a usable archive), if they regenerate this tarball and > reupload it, the checksum will change. So now you have new checksum, but in dist-git, there is probably already uploaded tarball of the same name with different checksum and now you don't know what happened. Also, not git expert, but I believe that if I force the Git repository, the hash might be completely missing next time. Not sure what the hash recorded in .spec file will help you. So as for me, I am using and supporting the approach Gerald is proposing, because I believe it works in 99,9% of cases and it is intuitive and simple, which I cannot say about the current guidelines. Vít > > With TAG auto-generated archives, the checksum is not reliable. > > As explained in the Guidelines : > > "Keep in mind that github tarballs are generated on-demand, > so their modification dates will vary and cause checksum tests > to fail." > > So again > > "For a number of reasons (immutability, availability, > uniqueness), you must use the full commit revision > hash when referring to the sources." > > Yes, there is a number of packages which doesn't respect this Guidelines > and use tag/release archive (probably old packages). But there is also a > number of packages which respect it. > > And it is the role of the reviewer to check and explain this. > Nothing complex. Enough examples in the wiki/repo to look at. > > > Remi. > > -- > packaging mailing list > packaging@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/packaging -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
