Should we stop distributing source tarballs?

Tobias Leupold tl at stonemx.de
Thu Apr 4 11:48:40 BST 2024


E-Mail von Albert Vaca Cintora vom Mittwoch, 3. April 2024, 18:34:04 CEST:
> Hi KDE folks,
> 
> The recent xz backdoor scandal made me realize how bad and obsolete
> distributing tarballs is. The source of truth for our code are the
> repositories, and releases can simply be tags on those repos.
> 
> As a big free software community, I think we should lead by example
> and get rid of tarballs altogether (as I hope to see in other projects
> as well) after the recent events.
> 
> Packagers can git pull.
> 
> If we ever replace git with something else, that something else will
> have tags as well.
> 
> What's the advantage of providing tarballs?
> 
> Albert

Hi,

I'm for sure nobody of importance here, but when you demand stopping releasing 
tarballs because some compression tool has been compromised you could as well 
demand to shut down all SSL servers because of the heartbleed bug or whatever.

Just speaking of me, I not only release tarballs for KDE software, but also 
for other projects. There, I do the following more than for KDE: A release 
tarball is not necessarily one exact tag. Some (re)source files may be altered 
whilst preparing the release, some other stuff may be compiled from different 
repos or sources. E.g. for the documentation of one of my other projects, I 
use a @DATE@ placeholder that is finally replaced by the actual release date 
by a release script, and translated from RST to HTML for the final release 
tarball. I often e.g. also use a version.h.in header file and let cmake 
generate the real version.h when compiling. When releasing, I remove it and 
replace it by a version.h file containing the very version of this release -- 
which does not exist in git at all.

Just what comes into my mind at once. A release is not always only a git tag.

Also, git tags can be moved, deleted, created again and so on. When you do a 
release tarball, one can create checksums, sign it and so on. And even if the 
git repo is deleted, the sources are moved to another CVS or whatever at some 
point in the future: The tarball still exists.

Also, one should think a bit more comprehensive here: Why should thousands of 
users create the same sources package over and over again if you can create it 
once, compress it and simply deliver it? This would be a waste of resources 
and energy, cause unneeded server load and so on.

So, from my point of view the answer here is: No, we definitely should not 
stop to distribute source tarballs.

Cheers, Tobias




More information about the kde-devel mailing list