Source URL guidelines (was Re: source file audit - 2009-02-15)

Ralf Corsepius rc040203 at freenet.de
Sun Feb 22 12:35:13 UTC 2009 

Michael Schwendt wrote:
> On Sun, 22 Feb 2009 07:37:28 +0100, Ralf wrote:
> 
>> The whole point behind Source-URL rules is to have a reliable, 
> 
> Making a Source-URL reliable is not the package maintainer's
> responsibility. All that matters is that the URL works during a package
> review request and at least does not give a 40x error. As some upstream
> projects like to change their web page directory structure from time to
> time, it can happen that download locations change, too. Rebuilding
> tarballs is done by some projects, too, for minor/subtle fixes even
> in readme files.
> 
>> deterministic URL from which a package can be retrieved from for e.g. 
>> verification (e.g checksum), legal reviews, tracking origins of packages 
>> etc.
> 
> How often that does happen?

More often than you think.

You only don't see such issues showing effect, because our policy is 
such kind of restrictive. Upstreams are moving between hosts, upstreams 
are replacing tarballs, upstream sites are being compromised, ...

> There still is the URL tag which can be used to search for [and verify!]
> new download locations during a "legal review".
Yes, chasing URLs is the last resort. You can't be seriously wanting 
this to be the norm?

>> and to prevent Fedora from being vulnerable from upstream dynamics 
>> (low quality random snapshots, bugs, compromised upstreams, etc.)
> 
> ?!  A static Source-URL alone doesn't achieve that alone.
Right, but comparing tarballs against those found on URLs does.

>> That said, the sourceforge rule is a "best practice's hint" to _prevent_ 
>> users from populating source-urls with one of sourceforge's mirror.
> 
> Historically, its goal has been a different one:
> 
> Avoiding that packagers point to the interactive mirror-selection web page
> at SF.net.
Well, yes, this also has been part of the motivation, but not the sole 
purpose.

The real purpose these days is to be able to compare an *.src.rpm's 
sources against those to be found on the given URL.

> Reviewers [still] prefer wget/curl-compatible download locations,
lftp, as far as I am concerned. Historically, I had found wget/curl to 
be too unreliable ;)


>> <cite>
>> For packages hosted on sourceforge, use
>>
>> Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
>>
>> changing ".tar.gz" to whatever matches the upstream distribution. Note 
>> that we are using downloads.sourceforge.net instead of an arbitrarily 
>> chosen mirror.
>> </cite>
> 
> This has been found to "work most of the time" (while older ones like
> dl.sf.net stopped being reliable), but it's not bullet-proof either.
Right, nevertheless it's a static URL and not that of an arbitrary 
mirror which might change every now and then.

Ralf

More information about the devel mailing list