On 01/06/15 12:10, Flavio Percoco wrote:
Is this a real problem? What are *tarball timestamps* used for in the
packaging world?
I'm sure there's a way we can workaround this issue.
timestamps just give you a hint, how old the source actually is, not
when a packager downloaded the tarball somewhere. It just gives you a
more realistic idea, how ancient the ancient code release is.
And: you probably want some hashes to verify, your downloaded tarball
is actually, what you wanted.
These can be generated as well. You can generate a tarball hash for
each commit and keep it around. The hash shouldn't change if the
tarball is generated on-the-fly. You could actually generate it
on-the-fly as well.
Sure, you can. You still need to provide that info. Ideally you'd
prepare a signed file containing your hash.
I mean, something comparable to:
http://centos.bio.lmu.de/7/isos/x86_64/sha256sum.txt.asc
(for CentOS 7 iso files).
Matthias
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
