Should we stop distributing source tarballs?
Jin Liu
m.liu.jin at gmail.com
Thu Apr 4 12:28:09 BST 2024
The tree-id of a git commit is effectively a checksum of all files. So you
can ask packagers to pull a specific commit and verify either commit-id or
tree-id. No extra verification step needed.
Sune Vuorela <nospam at vuorela.dk> 于 2024年4月4日周四 17:48写道:
> On 2024-04-03, Albert Vaca Cintora <albertvaka at gmail.com> wrote:
> > What's the advantage of providing tarballs?
>
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
> tarball is an easy way of doing it. Different git invocations for git
> archive, different tar options and so on can create different checksums
> for the same content.
>
> I do also think it is nice if we get someone else to verify that the
> tarball we ship actually matches the tag. I think some people in
> distributions have already started looking into verifying that.
>
> Also, git tags can be moved.
>
> /Sune
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240404/8f8b3d6c/attachment.htm>
More information about the kde-devel
mailing list