Packaging Guidelines - creating tarball from VCS with script
Kevin Fenzi
kevin at scrye.com
Wed May 16 16:10:17 UTC 2012
On Tue, 15 May 2012 23:30:27 +0300
Oron Peled <oron at actcom.co.il> wrote:
...snip...
> * A .spec file with the extra %vcs_prep and Vcs-URL can create SRPM
> directly from the vcs-repo. This SRPM can be uploaded to our
> build system and be used for building *without* any interaction
> with the vcs.
I very much dislike this. Currently offical builds cannot use src.rpms,
they must use VCS. This allows us to be able to easily see what was in
a build. If we allow arbitray src.rpms it opens up a big can of worms:
- We have to store those src.rpms forever (or many years).
- Looking at what was used requires you to download a big src.rpm and
unpack it instead of looking at a git hash in a repo.
- There's much less auditing. Someone could upload a src.rpm with
horrible junk in it and the only way to tell would be to download and
inspect it.
So, I think thats a big no go. ;)
Otherwise this sounds like great stuff to talk to rpm upstream
about. ;)
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120516/647b187e/attachment.sig>
More information about the devel
mailing list