On Thu, Jun 25, 2015 at 07:22:57AM +0200, Vít Ondruch wrote: > Dne 25.6.2015 v 07:05 Remi Collet napsal(a): > > Le 24/06/2015 20:02, Gerald B. Cox a écrit : > > > >> but I don't believe mandating > >> commit hash in all circumstances is the way to do it. > > I think current Guideline is "clear" and doesn't need to be changed. > > > > Please explain how you can check the sources used to build a package is > > the correct one ? > > > > When upstream provides a tarball (usually because they run "make dist" > > to provide a usable archive), if they regenerate this tarball and > > reupload it, the checksum will change. > > So now you have new checksum, but in dist-git, there is probably already > uploaded tarball of the same name with different checksum and now you > don't know what happened. > > Also, not git expert, but I believe that if I force the Git repository, > the hash might be completely missing next time. Not sure what the hash > recorded in .spec file will help you. No git will keep the hash of the commit, even if you force-push it (at least up to a certain point/time), so you would be able to find back which commit the package was built from. Pierre -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
