Should we stop distributing source tarballs?

Jin Liu m.liu.jin at
Thu Apr 4 12:28:09 BST 2024

The tree-id of a git commit is effectively a checksum of all files. So you
can ask packagers to pull a specific commit and verify either commit-id or
tree-id. No extra verification step needed.

Sune Vuorela <nospam at> 于 2024年4月4日周四 17:48写道:

> On 2024-04-03, Albert Vaca Cintora <albertvaka at> wrote:
> > What's the advantage of providing tarballs?
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
> tarball is an easy way of doing it. Different git invocations for git
> archive, different tar options and so on can create different checksums
> for the same content.
> I do also think it is nice if we get someone else to verify that the
> tarball we ship actually matches the tag. I think some people in
> distributions have already started looking into verifying that.
> Also, git tags can be moved.
> /Sune
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the kde-devel mailing list