Mike Auty posted on Sun, 11 Mar 2018 19:19:00 +0000 as excerpted:

> tldr; Github will tarball up specific commits (or master) for you to add
> to SRC_URI.
> I ended up using the github API to pull down a tarball of the git repo,
> rather than using git to pull it down.  I suppose that offers the
> ability to Manifest it and check for changes, but I now have to encode
> the fixed commit into every version of the ebuild because the only
> location it's recorded is in the submodule commit hash of the package's
> repo.

Please check...

If I'm recalling correctly a warning posted on this list, repeated calls 
to the github tarballing API for the same commit will result in delivery 
of tarballs with differing checksums.  How/why wasn't explained as I 
recall, possibly part of the reason I'm not sure I'm recalling things 
correctly as that would have internally flagged it as unreliable/needing-
verification, but that was the warning as I remember it.

If it's correct, you can pull the tarball from github to store on devspace 
and link it as the checksummed tarball, as that's static and won't 
change, but you can't link the github tarballing API directly, as that 
/will/ change and thus will fail sources checksum verification at least 
some of the time.

But (assuming avoiding linking devspace is worth the trouble in the first 
place if possible) either verify it yourself or wait for verification/
negation from others, as I'm not entirely sure I'm recalling that warning 
post correctly.  It might have been for other than github, or I might 
have misunderstood, or maybe they've fixed that problem by now, or...

Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Reply via email to