On Wed, 11 Nov 2020 19:38:35 -0500 Rich Freeman <[email protected]> wrote:
> I just host stuff like that on my dev webspace, or better yet on > github or something else that will auto-tarball stuff. Oh, yeah, and don't rely on github auto-tarball stuff. History has demonstrated github sometimes "forgets" their cached copies of those tarballs, and then later when requested, it will regenerate them fresh ... but with different SHAsums. If you're gonna use github for tarballs, roll that tarball yourself, and attach it to a "release", manually and explicitly, and then use the URL to the release asset. Only then can you be sure: a) Of what the tarball actually contains b) Of what the tarballs SHAsum will be
pgpCIlFNyOlsy.pgp
Description: OpenPGP digital signature
