On 03/02/2018 04:18 PM, Luke Shumaker wrote:
> On 2018-02-27 at 12:28:07
> Stuart Henderson wrote:
>> Many ports are using github's on-the-fly generated source-code tarballs
>> via the GH_ variables in Makefiles.
>>
> Though I wonder if that's intentional/allowed, or if it's really just
> a bug in GitHub.
> 
>> :   "It is not meant to be reliable or a way to distribute software
>> :   releases and nothing in the software stack is made to try to
>> :   produce consistent archives."
> 
> I can't seem to find a source for that quote.
> 

i would like to see that documentation also

i dont know what those the GH_ variables in Makefiles actually do - but
i can say from my experience that the github auto-generated "releases"
that are based on git tags seem to be exactly what you get with the `git
archive` command - i use a git commit hook that creates the tarball with
`git archive` then signs it with GPG then downloads the auto-generated
tarball from github and compares the local signature against the remote
tarball before uploading the signature and i have not seen any
in-consistency - maybe the "tagged" releases are more stable or maybe i
have just been lucky i dunno




Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dev mailing list
Dev@lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/dev

Reply via email to