Lo! Am 20.04.20 um 16:41 schrieb Jeremy Cline: > On Fri, Apr 17, 2020 at 10:06:02PM +0200, Thorsten Leemhuis wrote: >> Am 17.04.20 um 20:55 schrieb Don Zickus: > […] >>> Is there any other large concern with the new workflow? >> The more I think about this the more I dislike that we are not using >> official, pristine tarballs anymore. This "Source0 is a tarball >> generated from a git tree maintained outside of the Fedora infra and >> patched with buildscripts" IMHO violates the intention of the SourceURL >> part of the Fedora Packaging Guidelines that was put in place for good >> reasons (by both red hat and community contributors): >> https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ > > It sounds like maybe there's confusion about what the new tarball > contains.
Yes, there… > The tarballs that are generated and checked into dist-git contain no > Fedora modifications and are directly from a commit or tag Linus's git > tree generated with git-archive[0]. …indeed was. I apologize for getting this wrong. Just one suggestion in that case: > The only thing that changed is > before we took the latest tagged release, then applied an rc patch from > upstream if available, then the snapshot from that week's development as > a patch generated on the maintainer's machine, then applied > Fedora-specific patches. Now we just git-archive Linus's master branch > for the day. Can't we make that clearer by using something like this? Source0: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-ae83d0b416db002fe95601e7f97f64b59514d936.tar.gz That was for 5.7-rc2 and makes it obvious where I can download this from if I do not trust the contents of the SRPM. And/or a comment right before the Source0 line that explains the situation for ordinary people might be good enough (yes, there is one, but it's hard to understand). > We can download the tarball (created by git-archive on a signed tag) > from kernel.org instead of running git-archive on a signed tag > ourselves if that will really help people sleep at night, but we'll > still be slapping unsigned snapshots on top of that so it's not clear to > me that we'll be gaining much. Yeah, you definitely have a point for rawhide. But once this scheme is used for stable releases it's a bit different, as there the base will normally have signed tag. CU, knurd _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
