On Wed, 11 Nov 2020 19:38:35 -0500
Rich Freeman <[email protected]> wrote:

> I just host stuff like that on my dev webspace, or better yet on
> github or something else that will auto-tarball stuff.

Oh, yeah, and don't rely on github auto-tarball stuff.

History has demonstrated github sometimes "forgets" their cached copies
of those tarballs, and then later when requested, it will regenerate
them fresh ... but with different SHAsums.

If you're gonna use github for tarballs, roll that tarball yourself,
and attach it to a "release", manually and explicitly, and then use the
URL to the release asset.

Only then can you be sure: 

a) Of what the tarball actually contains
b) Of what the tarballs SHAsum will be

Attachment: pgpCIlFNyOlsy.pgp
Description: OpenPGP digital signature

Reply via email to