On Monday, 9 October 2017 at 18:56:13 UTC, Martin Nowak wrote:
On 10/07/2017 03:20 PM, Eugene Wissner wrote:
But please consider something different than github as
alternative. GitHub doesn't guarantee that it always generates
the same tarball for the same commit/release, so the checksum
can change and the downloaded tarball looks corrupted, though
it has absolutely the same content.
Ah good to know, indeed seems to be a problem for GH's archive
endpoints? Would of course be a nogo for distro build receipts.
I had this problem about two weeks ago.
As an example.. Slackware is a half-binary, half-source based
Linux. The core system is provided as binary packages and the
most users build other programs from slackbuilds.org which
provides a huge collection of third-party packages as automated
build scripts (but they don't keep the sources, only scripts that
build a package from the source). There are also automation tools
to compile all the dependencies if needed. It is slightly similar
to how freebsd ports work. Such a tool has to verify that the
downloaded source is not corrupted and it is done with md5.
Actually I think that it can be a problem for many smaller linux
distributions that are community-driven and not backed by
commercial organizations and don't have the power to keep all
sources themselves like debian does.
GitHub breaks the archives very very seldom but if it happens it
is very painful