Naming issue for meego 1.0 related packages

Chen Lei supercyper1 at gmail.com
Fri Jul 16 10:39:44 UTC 2010


2010/7/12 Kevin Kofler <kevin.kofler at chello.at>:
> Michel Alexandre Salim wrote:
>> I experienced this recently with another project (openSUSE's build
>> service client) -- GitHub lets you download a project's tagged
>> snapshots as tarballs, but Gitorious does not have this functionality.
>
> But on-demand autogenerated tarballs are evil because they usually don't
> have reproducible checksums, so there's no straightforward way to verify
> that the tarball has not been altered.
>
>        Kevin Kofler
>

The autogenerted tarballs from original moblin VCS[1] are not evil :),
they have a permanent checksums. Unfortunately, meego moved all
packages to gitorious which don't have the same feature. So I suggest
to use tarballs extracted from upstream SRPM[1] instead of pulling
source files directly from VCS to be easier for checking md5sum. Is it
forbidden by fedora packaging guideline?  When we keep consistent with
upstream RPM version, we can also report some bugs to meego bugzilla
directly.

[1]http://git.moblin.org/cgit.cgi/scim-panel-vkb-gtk/
[2]http://repo.meego.com/


Regards,
Chen Lei


More information about the devel mailing list