Am 20.04.20 um 18:55 schrieb Don Zickus: > On Sat, Apr 18, 2020 at 02:35:24PM +0200, Thorsten Leemhuis wrote: >> Am 17.04.20 um 22:06 schrieb Thorsten Leemhuis: >>> Am 17.04.20 um 20:55 schrieb Don Zickus: >>>> Is there any other large concern with the new workflow? >>> The more I think about this the more I dislike that we are not using >>> official, pristine tarballs anymore. This "Source0 is a tarball >>> generated from a git tree maintained outside of the Fedora infra and >>> patched with buildscripts" IMHO violates the intention of the SourceURL >>> part of the Fedora Packaging Guidelines that was put in place for good >>> reasons (by both red hat and community contributors): >>> https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ > […] > Thanks for the feedback! I believe we would like to work out a solution for > this. […]> Signed tags could work, but they are only applied to releases, not > the -rcX> updates. So there is limitation to that. > > Looking through the Fedora Doc you posted, they seem to provide examples of > using a git commit for reference (despite kernel.org using tarballs). In > essence that is what we are doing, using more of the upstream commit and > generating our own tarball from that commit. > > Obviously, the problem comes down to trust. Just trying to figure out the > most reasonable way to prove we didn't make any mistakes when generating the > tarball using the tools we have available. > > Thoughts?
This overlaps a bit with my reply I just sent to Jeremy ( https://lists.fedoraproject.org/archives/list/[email protected]/message/PZ3ZCUL2WI7ECONM5HNE6QNZMKTO64VR/ ), nevertheless: How about something like this: * For Source0 on Rawhide with its daily snapshots use something like this: Source0: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-ae83d0b416db002fe95601e7f97f64b59514d936.tar.gz (taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ae83d0b416db002fe95601e7f97f64b59514d936 Use something like this everywhere else: Source0: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/snapshot/linux-5.6.6.tar.gz * For rawhide and its daily snapshots just trust what everyone can download at git.kernel.org. Everywhere else verify the signed tag in the %prep section of the spec file just like the packaging guidelines suggest: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures CU, knurd _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
