Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=916405
--- Comment #8 from Shawn Iwinski shawn.iwinski@gmail.com --- Spec changes: https://github.com/siwinski/rpms/commit/51dc9bc48668a4482d16b49e300c34cd2ecc...
SPEC URL: http://siwinski.fedorapeople.org/rpmbuild/SPECS/php-Assetic.spec
SRPM URL: http://siwinski.fedorapeople.org/rpmbuild/SRPMS/php-Assetic-1.1.0-0.2.alpha4...
(In reply to comment #7)
No blocker, but
[!]: Latest version is packaged. 1.0.4 is tagged.
Drupal 8 (future package I am working on) requires version 1.1.*. I just updated the package from v1.1.0-alpha3 to v1.1.0-alpha4.
Why do you take a github snapshot, when upstream properly tag each release and provides a tarball ?
From guidelines https://fedoraproject.org/wiki/Packaging:SourceURL#Github "If the upstream does create tarballs you should use them as tarballs provide an easier trail for people auditing the packages."
Ex : https://github.com/kriswallsmith/assetic/archive/v1.1.0-alpha4.tar.gz
From the same guidelines:
"For a number of reasons (immutability, availability, uniqueness), you must use the full commit revision hash when referring to the sources.
The full 40-character hash can be copied from the github web interface at https://github.com/$OWNER/$PROJECT/tags or by cloning the repository and using git rev-parse $TAG"
I read that as we must use the full commit hash for sources rather than the tag.
[!]: Requires correct, justified where necessary. Where do you find info about the twig / symfony min / max version ?
From the composer.json file --
https://github.com/kriswallsmith/assetic/blob/v1.1.0-alpha4/composer.json
"symfony/process": ">=2.1.0,<2.3-dev" "twig/twig": ">=1.6.0,<2.0"