[Fedora-packaging] Can we allow such URL?

Stanislav Ochotnicky sochotnicky at redhat.com
Fri May 31 12:32:02 UTC 2013 

Quoting Mattias Ellert (2013-05-31 13:18:31)
> tor 2013-05-30 klockan 11:51 +0200 skrev Björn Esser:
> > 
> > I'd say "NO WAY", because tags can be created/deleted/altered by anyone
> > having write-access to the repo. They are NOT explicitly meant to be
> > created-once-lasts-forever or points-to-same-commit-sha-forever, so
> > checking the tarball to be pristine might be close to impossible in the
> > future, if the tag will be altered pointing to an other commit or be
> > deleted. This may lead to FTBFS as well.
> Why is a tarball published on github less valuable than a tarball
> published anywhere else?
> 
> Admittedly, as you say a tag in github can be removed and reapplied
> again on a different commit. However, a well behaving upstream will not
> do this. This is not something unique to github - the same can happen on
> a git server somewhere else and in svn and cvs too. Also a tarball
> published by upstream on a separate server can be replaced with a
> different one if upstream is not well behaved. If you do not accept the
> tarball generated from the github tag published on the github server,
> why would you accept any source tarball published anywhere? They both
> can be replaced at any time by a weirdly behaving upstream. And neither
> will be replaced by a well behaving one.

Rearranged a bit, agree completely with Mattias. Github is no different than
other places in this regard. 

> > An URL like this also _WILL_
> > lead to conflicting names of source-tarballs, because it's only named to
> > the version and not to the app's name. Don't forget the naming
> > guidelines: "When naming a package, the name should match the upstream
> > tarball or project..."

That guideline actually refers to name of (s)rpms not some tarball in lookaside
cache, but OK I'm game...

Easily solvable. Example:
Source0: https://github.com/JodaOrg/%{name}/archive/v%{version}.tar.gz#/%{name}-{version}.tar.gz
 
Note the ending "#/%{name}-%{version}.tar.gz". 

As a bonus there's not dirhash to deal with. In the past problem with that URL
has been that they didn't have static hash. That has been fixed as well I believe.

> > https://fedoraproject.org/wiki/Packaging:NamingGuidelines?rd=Packaging/NamingGuidelines#General_Naming
> > 
> > So using the URL from the guidelines all will be fine, because it will
> > create a tarball named containing the projectname, version and the
> > definitive unique and forever-lasting commit-sha...

I actually had a ticket opened at FPC[1] to update this guideline but then I
haven't found time to prepare the draft. If someone would create a proposal and
reopen the ticket...we might improve the situation. 


-- 
Stanislav Ochotnicky <sochotnicky at redhat.com>
Software Engineer - Developer Experience

PGP: 7B087241
Red Hat Inc.                               http://cz.redhat.com

More information about the packaging mailing list