[Bug 1231318] Review Request: php-zordius-lightncandy - An extremely fast PHP implementation of handlebars and mustache
bugzilla at redhat.com
bugzilla at redhat.com
Tue Jun 23 15:12:36 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1231318
Mathieu Bridon <bochecha at fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bochecha at fedoraproject.org
--- Comment #10 from Mathieu Bridon <bochecha at fedoraproject.org> ---
> The guidelines even mention to use the release tarball:
>
> "If the upstream does create tarballs you should use them as tarballs provide an easier trail for people auditing the packages."
Except upstream does not create release tarballs.
That URL you are using is automatically generated by Github.
Look at this project as an example:
https://github.com/Cangjians/libcangjie/releases
I'm upstream, and I created myself the libcangjie-%{version}.tar.gz files,
which I uploaded to Github.
But the "Source code (zip)" and "Source code (tar.gz)" links are automatically
generated by Github. I know, because I never uploaded those files. :)
In the case of your upstream, the only tarballs published are the automatically
generated Github ones.
As a result, Remi is correct, you should not use those URLs.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
More information about the package-review
mailing list