<div dir="ltr"><div>Agreed. But the difference is that using full commits a history rewrite will always be detected. Using a tag is making it possible for upstream to bind the same tag to a different commit. And since it's possible, it will happen.<br>
<br></div>It's a shame there is no way to block forced updates on github. It's a little bit to easy to make a history rewrite there.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 24, 2014 at 2:13 PM, Stephen Gallagher <span dir="ltr"><<a href="mailto:sgallagh@redhat.com" target="_blank">sgallagh@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 01/23/2014 05:49 PM, Adam Williamson wrote:<br>
> On Tue, 2014-01-21 at 11:09 -0600, Richard Shaw wrote:<br>
>> On Tue, Jan 21, 2014 at 11:06 AM, Miroslav Suchý<br>
>> <<a href="mailto:msuchy@redhat.com">msuchy@redhat.com</a>> wrote: On 01/21/2014 06:01 PM, Kaleb KEITHLEY<br>
>> wrote:<br>
>>><br>
>>> Take, for example,<br>
>> <a href="https://github.com/nfs-ganesha/nfs-ganesha/releases" target="_blank">https://github.com/nfs-ganesha/nfs-ganesha/releases</a>, where<br>
>> there's a button for "Source code<br>
>>> (tar.gz)" pointing at<br>
>> <a href="https://github.com/nfs-ganesha/nfs-ganesha/archive/V2.0.0.tar.gz" target="_blank">https://github.com/nfs-ganesha/nfs-ganesha/archive/V2.0.0.tar.gz</a><br>
>>><br>
>>> Note V2.0.0.tar.gz versus nfs-ganesha-2.0.0.tar.gz.<br>
>>><br>
>>> If I click on that link the downloaded file is named<br>
>> nfs-ganesha-2.0.0.tar.gz by virtue of the Content-Disposition<br>
>> http<br>
>>> header.<br>
>>><br>
>>> Likewise if I use `curl -L ...` the downloaded file is named<br>
>> nfs-ganesha-2.0.0.tar.gz.<br>
>>><br>
>>> But for my nfs-ganesha.spec file, if I use the github link<br>
>> shown above, I have to load a file V2.0.0.tar.gz into the<br>
>>> look-aside cache. Anything else and rpm and rpmlint whine.<br>
>>><br>
>>> Is there a best practice here that I'm missing?<br>
>><br>
>><br>
>> <a href="https://fedoraproject.org/wiki/Packaging:SourceURL#Github" target="_blank">https://fedoraproject.org/wiki/Packaging:SourceURL#Github</a><br>
>><br>
>><br>
>><br>
>><br>
>> Interesting... However, if you're working with an actual release<br>
>> tag, I would think Peter's method would be much better.<br>
><br>
> It is a good idea to use a specific commit as your source, not a<br>
> tag, because the tag can be silently edited, and then you lose<br>
> source reproducibility.<br>
><br>
> Yes, this is a problem with tarballs too - upstream can always<br>
> ninja the tarball - but look at it this way: github affords us the<br>
> ability to avoid that problem, and so we should take it.<br>
><br>
<br>
Actually, it's not a problem with tarballs. That's *precisely* why we<br>
store the tarball hashes. This way, we at least know whether they<br>
still match.<br>
<br>
And it's still possible to 'ninja' a github repository with a history<br>
rewrite (for example if the upstream discovers that they have content<br>
that was impermissible to distribute, they might retroactively delete<br>
if from the history). This would change all git hashes that occur<br>
after this time.<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iEYEARECAAYFAlLiZvsACgkQeiVVYja6o6Pe0wCeNUI3x2sa0br+2qMs2MLmL2yX<br>
GvsAni3A4//1e5s+hXhbUlh75gtpqazp<br>
=fSzG<br>
-----END PGP SIGNATURE-----<br>
<span class="HOEnZb"><font color="#888888">--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-of-conduct</a></font></span></blockquote></div><br></div>