On Tue, Apr 21, 2020 at 05:23:47PM +0200, Thorsten Leemhuis wrote:
Lo!
Am 20.04.20 um 16:41 schrieb Jeremy Cline:
> On Fri, Apr 17, 2020 at 10:06:02PM +0200, Thorsten Leemhuis wrote:
>> Am 17.04.20 um 20:55 schrieb Don Zickus:
> […]
>>> Is there any other large concern with the new workflow?
>> The more I think about this the more I dislike that we are not using
>> official, pristine tarballs anymore. This "Source0 is a tarball
>> generated from a git tree maintained outside of the Fedora infra and
>> patched with buildscripts" IMHO violates the intention of the SourceURL
>> part of the Fedora Packaging Guidelines that was put in place for good
>> reasons (by both red hat and community contributors):
>>
https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/
>
> It sounds like maybe there's confusion about what the new tarball
> contains.
Yes, there…
> The tarballs that are generated and checked into dist-git contain no
> Fedora modifications and are directly from a commit or tag Linus's git
> tree generated with git-archive[0].
…indeed was. I apologize for getting this wrong. Just one suggestion in
that case:
> The only thing that changed is
> before we took the latest tagged release, then applied an rc patch from
> upstream if available, then the snapshot from that week's development as
> a patch generated on the maintainer's machine, then applied
> Fedora-specific patches. Now we just git-archive Linus's master branch
> for the day.
Can't we make that clearer by using something like this?
Source0:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapsh...
That was for 5.7-rc2 and makes it obvious where I can download this from
if I do not trust the contents of the SRPM. And/or a comment right
before the Source0 line that explains the situation for ordinary people
might be good enough (yes, there is one, but it's hard to understand).
I lean towards a clearer comment. If we change the actual Source0 we
have to stop xz-compressing the tarball and change the naming scheme to
line up with the URL naming format.
> We can download the tarball (created by git-archive on a signed
tag)
> from
kernel.org instead of running git-archive on a signed tag
> ourselves if that will really help people sleep at night, but we'll
> still be slapping unsigned snapshots on top of that so it's not clear to
> me that we'll be gaining much.
Yeah, you definitely have a point for rawhide. But once this scheme is
used for stable releases it's a bit different, as there the base will
normally have signed tag.
We've not actually got any machinery for stable releases yet so I think
we can take that into account when we do that.
- Jeremy