https://bugzilla.redhat.com/show_bug.cgi?id=1231318
Mathieu Bridon bochecha@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bochecha@fedoraproject.org
--- Comment #10 from Mathieu Bridon bochecha@fedoraproject.org ---
The guidelines even mention to use the release tarball:
"If the upstream does create tarballs you should use them as tarballs provide an easier trail for people auditing the packages."
Except upstream does not create release tarballs.
That URL you are using is automatically generated by Github.
Look at this project as an example:
https://github.com/Cangjians/libcangjie/releases
I'm upstream, and I created myself the libcangjie-%{version}.tar.gz files, which I uploaded to Github.
But the "Source code (zip)" and "Source code (tar.gz)" links are automatically generated by Github. I know, because I never uploaded those files. :)
In the case of your upstream, the only tarballs published are the automatically generated Github ones.
As a result, Remi is correct, you should not use those URLs.