On Fri, 2013-04-26 at 12:56 -0400, Colin Walters wrote: > On Fri, 2013-04-26 at 18:49 +0200, Emilio Pozuelo Monfort wrote: > > Hi, > > > > On 04/26/2013 05:01 PM, Colin Walters wrote: > > > On Fri, 2013-04-26 at 10:32 -0400, Dan Winship wrote: > > >> I want "make distcheck" to still run all of my tests, to guarantee that > > >> everything works correctly when built from a tarball, not just when > > >> built from git. > > > > > > That's going to be a high bar to jump; but I suppose it makes sense to > > > have both during the transition and give downstreams time to teach their > > > build systems about revision control. > > > > I'm not sure I follow here. Are you implying that you want to stop making > > tarballs eventually? > > Yes. > > https://mail.gnome.org/archives/release-team/2013-April/msg00038.html >
At least on Gentoo there is partially existing infrastructure but it is not considered superior to tarballs. The collision attack on git is possible, especially when the build is automated[1] and presumably by not closely watching user, while tarballs have their hash distributed by another channel on Gentoo. While for main releases in portage it is not a problem as probably the tarballs would be made by gnome team and uploaded they pose more of a problem for the overlays (sort of additional repos - new packages/unstable versions are usually found there) or bugzilla (another place where people are posting ebuilds). I would presume other source distribution (Nix, AUR in Arch) have similar problems. Additionally currently the Vala programs can be compiled with VALAC=/bin/true and depend entirely on generated sources which are not kept in git (as they are autogenerated during make distcheck). That came handy during the Gnome 3.8 transition as there are several packages that requires older version of Vala, which vapigen is not compatible with gobject-introspection 3.8. Such scheme would not be possible with git tags as the sources wouldn't exist. This would be problem for Vala among others as there would be no way to bootstrap compiler except by another Vala compiler. The same problem is for any files which are meant to not be built (always) by user but are not kept in git - including say autotools files. Requiring each user to run autogen would make the compilation longer (in addition to possible errors due to changes in autoconf/automake). I understand why access people what to restrict access to master.gnome.org but wouldn't replacing shell access with something else be sufficient (or possibly restricting it to scp possibly with special ui for verification without general purpose shell or tarball autogeneration)? Best regards [1] http://joeyh.name/blog/entry/sha-1/ _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/desktop-devel-list