Should we stop distributing source tarballs?
Tobias Leupold
tl at stonemx.de
Thu Apr 4 11:48:40 BST 2024
E-Mail von Albert Vaca Cintora vom Mittwoch, 3. April 2024, 18:34:04 CEST:
> Hi KDE folks,
>
> The recent xz backdoor scandal made me realize how bad and obsolete
> distributing tarballs is. The source of truth for our code are the
> repositories, and releases can simply be tags on those repos.
>
> As a big free software community, I think we should lead by example
> and get rid of tarballs altogether (as I hope to see in other projects
> as well) after the recent events.
>
> Packagers can git pull.
>
> If we ever replace git with something else, that something else will
> have tags as well.
>
> What's the advantage of providing tarballs?
>
> Albert
Hi,
I'm for sure nobody of importance here, but when you demand stopping releasing
tarballs because some compression tool has been compromised you could as well
demand to shut down all SSL servers because of the heartbleed bug or whatever.
Just speaking of me, I not only release tarballs for KDE software, but also
for other projects. There, I do the following more than for KDE: A release
tarball is not necessarily one exact tag. Some (re)source files may be altered
whilst preparing the release, some other stuff may be compiled from different
repos or sources. E.g. for the documentation of one of my other projects, I
use a @DATE@ placeholder that is finally replaced by the actual release date
by a release script, and translated from RST to HTML for the final release
tarball. I often e.g. also use a version.h.in header file and let cmake
generate the real version.h when compiling. When releasing, I remove it and
replace it by a version.h file containing the very version of this release --
which does not exist in git at all.
Just what comes into my mind at once. A release is not always only a git tag.
Also, git tags can be moved, deleted, created again and so on. When you do a
release tarball, one can create checksums, sign it and so on. And even if the
git repo is deleted, the sources are moved to another CVS or whatever at some
point in the future: The tarball still exists.
Also, one should think a bit more comprehensive here: Why should thousands of
users create the same sources package over and over again if you can create it
once, compress it and simply deliver it? This would be a waste of resources
and energy, cause unneeded server load and so on.
So, from my point of view the answer here is: No, we definitely should not
stop to distribute source tarballs.
Cheers, Tobias
More information about the kde-devel
mailing list