On Fri, 26 Jun 2015 16:11:02 -0700
"Gerald B. Cox" <gbcox@xxxxxx> wrote:
> On Fri, Jun 26, 2015 at 2:37 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> > Yeah, that was me. I just haven't had time to do it.
>
>
> Hey Kevin,
>
> Maybe you can explain something to me because I'm not getting it.
Well, I was answering the question about the old script I used to run,
I actually didn't say anything about tags. ;)
The sourcecheck script I ran would check the source(s) that had been
uploaded to our lookaside cache against the upstream version (where the
spec had a full url to the source we could download and checksum)
For the cases where there was not a full url, we just skipped that
package.
If the downloaded source was the same in the lookaside, great.
If the source wasn't downloadable from that url it likely moved or
there was a problem with upstream's site.
In the final case, if the checksum differed it meant that the
maintainer made a mistake uploading or upstream changed the same
release after it was released.
> Why is this considered a significant issue? For example, someone
> downloads project-tag1 using Git. tag1 is effectively %{version}
>
> The tar file which is downloaded is permanently associated with
> 40...character...tag..a
>
> Then at sometime down the road, upstream decides oh, I made a
> mistake, I now want
> to associate project-tag1 with 40...character...tag..b (even though
> that is considered "insane")
>
> In the srpm, we still have 40...character...tag..a as the commit hash
> associated to %{version}
>
> The only thing I can imagine is that the next release of that package
> in Fedora would just
> increment the Release tag by 1 and leave the %{version} the same.
>
> Why is this such a big issue within the Fedora community?
Because you have multiple things with the same name.
Say upstream releases project v1 with tag1.
Maintainer downloads it, builds it and sends it to users.
Now upstream decides they want to move the tag on v2 to tag2.
Now you and all fedora users think v1 is tag1.
Upstream thinks v1 is tag2.
When all these people talk they get confused.
Upstream might say: "oh, we fixed that and moved the tag", but then
what does the fedora maintainer do? v1-2? What do people reporting bugs
report against? How can you tell how long a security vulnerability has
been out if it was in v1?
> I'm re-thinking the fact I added all that text regarding re-tagging.
> Yes, it's bad,
> but as someone pointed out, we're not the Git police - and even
> though some people believe it is pervasive, I consider that
> anecdotal. Unless I can understand
> more about the harmful impact, I believe I'm just causing more
> confusion by discussing it.
I think telling upstream how to use tags isn't that great, but also I
don't think we should depend on them.
I absolutely think it's fine for up to tell upstreams that release the
same version with different content different times is bad and that
they should not do it. It causes pain for everyone, themselves
included.
kevin
Attachment:
pgp3onrqOBMLH.pgp
Description: OpenPGP digital signature
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
