Should we stop distributing source tarballs?

Neal Gompa ngompa13 at gmail.com
Thu Apr 4 15:08:39 BST 2024


On Thu, Apr 4, 2024 at 9:52 AM Harald Sitter <sitter at kde.org> wrote:
>
> On Thu, Apr 4, 2024 at 3:38 PM Tobias Leupold <tl at stonemx.de> wrote:
> >
> > Am 04.04.24 um 13:25 schrieb Harald Sitter:
> > > On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold <tl at stonemx.de> wrote:
> > >> Just what comes into my mind at once. A release is not always only a git tag.
> > >
> > > Doesn't that make your source tarball a derived work from the source
> > > in your git tag?
> >
> > Yes, of course! this was the point of what I wrote ...
>
> But then it's no longer **the** source. The source was your tag.

A lot of distributions can't really easily consume Git as a source for
software for packaging, and because Git has no immutability
guarantees, it's not exactly ideal as an input either.

That said, some of the issues that came up with xz-utils compromise
are things we can more easily mitigate. We can be more vigilant about
CMake scripts and CMake modules. We should treat them at the same
level as source code itself for code review if we don't already.

Another thing to think about is maybe switching from xz compression to
zstd compression, as the compression ratio is generally quite close to
xz and decompression is significantly faster and cheaper than xz.


-- 
真実はいつも一つ!/ Always, there's only one truth!


More information about the kde-devel mailing list