On 19/02/2020 09:51, Luboš Luňák wrote:
On Tuesday 18 of February 2020, Eike Rathke wrote:
On Monday, 2020-02-17 19:06:23 +0100, Luboš Luňák wrote:
And is there any worthwhile gain in insisting on using upstream
tarballs?
Reliable checksums and reproducible packaging.
A responsible developer introducing a new tarball on the download server
a) checks it against the official checksum after download
b) creates the SHA256SUM of the file to use in download.lst
Any repacking invalidates that, specifically on a developer's machine
could introduce omissions or additions.
That is the theory, but the reality is that we already do have some tarballs
that do not have any matching upstream tarballs (e.g. because do not exist),
so I think that point is moot.
But the theory is definitely something worth aiming for, IMO. Ever so
often have I been frustrated in trying to track down the origins of some
artifact at <https://dev-www.libreoffice.org/src/>. (And I still think
we should put that site under some kind of version control, with a
journal detailing how exactly each individual artifact was obtained.
But that's a somewhat different issue.)
(That doesn't mean that at least I suggest repackaging is something we
should avoid at all cost. IMO, it may be an option if it can be done in
an accountable way and has some clear benefit.)
_______________________________________________
LibreOffice mailing list
LibreOffice@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/libreoffice
