On Wed, 24 Aug 2011 07:23:30 -0700
Toshio Kuratomi <a.badger(a)gmail.com> wrote:
On Wed, Aug 24, 2011 at 08:45:20AM -0400, James Laska wrote:
> > < Location:
Side comment to your main issue: How is this tarball being
generated? I see in the review request that the md5sum of the file
at that URL has changed over time. If it's just the upstream not
officially releasing this tarball until the Fedora RPM is out and
therefore making changes to the tarball to address review criteria
it's not standard practice but okay. If the tarball is going to
continue to evolve with this same name after the Fedora RPM is
reviewed, then it's probably better to generate a git snapshot.
The aim is to make things reproducible. If we can't count on getting
the same tarball once the rpm is built, we'd rather have instructions
on making a snapshot that has a revision id that we can count on
pulling to get the same set of files at a later date.
I've done a few reviews on github packages. Even if you download a
stable tag tarball from the project in github (which in theory should
be equivalent to using a stable release tarball), it turns out that the
checksums might not match a few days after.
I think github caches the tarballs it generates for a few days, so if
you grab the same tarball repeatedly, you'll get the same md5sum. If
you wait a longer time, you will get a different result. But even
though the md5sums won't match, the contents will still be the same.
Fedora Project Contributor