On Nov 26, 2010, at 3:58 PM, Dirkjan Ochtman wrote: > On Fri, Nov 26, 2010 at 21:44, Noah Slater <[email protected]> wrote: >> But assuming we got this working, we face the problem of not being able to >> apply our own patches. Also, the software it downloads might have some bug >> in it that was introduced a week, day, or hour before the release was made. >> How would we defend ourselves against this? > > You pull a specific version tarball and check it against a checksum? > > Cheers, > > Dirkjan
If we need to use a patched version of an upstream repo we can host our own fork of the canonical git repository and apply the patches there. I'm not sure what ASF requirements would be regarding the hosting of those repositories. The canonical sources for all of our upstream dependencies - including Erlang/OTP - are now on github, so if the fork is hosted there upstream contributions will be that much easier to make. Regardless of the presence or absence of custom patches, using our own copy of the repo ensures that we maintain full control over the inclusion of upstream changes. If we're tracking the master branch of an upstream dependency and we want to pin our builds to a specific commit we can simply tag that commit and do future builds from that tag. Regards, Adam
