Should we stop distributing source tarballs?
Ben Cooksley
bcooksley at kde.org
Thu Apr 4 12:07:42 BST 2024
On Thu, Apr 4, 2024 at 10:48 PM Sune Vuorela <nospam at vuorela.dk> wrote:
> On 2024-04-03, Albert Vaca Cintora <albertvaka at gmail.com> wrote:
> > What's the advantage of providing tarballs?
>
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
> tarball is an easy way of doing it. Different git invocations for git
> archive, different tar options and so on can create different checksums
> for the same content.
>
For those wondering, for all content served by download.kde.org and
files.kde.org, you can fetch a sha256 hash of the file in question by just
appending ".sha256" to the URL in question.
See
https://download.kde.org/stable/release-service/24.02.1/src/okular-24.02.1.tar.xz.sha256
for instance.
These won't show up in the file listings, and are not files that are
provided to mirrors - they are provided by our mirror management system
(MIrrorbits) directly.
As an additional aside - we don't currently GPG sign our Git tags, so there
is nothing validating that the person who made the release is actually the
person whose name is on it.
With GPG signatures we can at least validate who owns the key.
>
> I do also think it is nice if we get someone else to verify that the
> tarball we ship actually matches the tag. I think some people in
> distributions have already started looking into verifying that.
>
Hopefully they'll be gentle with tooling that does this?
>
> Also, git tags can be moved.
>
> /Sune
>
>
Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240405/d4f91afc/attachment.htm>
More information about the kde-devel
mailing list