On Thu, 2008-01-17 at 19:28 +0200, Yair K. wrote: > On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote: > > Hi, > > > > While I agree with this, how do we specify the build id in the package > > name? > > > > We can guarantee that whatever is in the stable/$LICENSE is always the > > latest - you will only find ONE bz2 file there. > > > > The other option is we rename as follows: > > sources/stable/oss-4.0-stable-<license>.tar.bz2 > > But you never know what version this file is. > > > > > > Yet another option is that we have a symlink: > > LATEST -> oss-4.0-<buildid>-<license>-tar.bz2 > > Then you pull down LATEST using wget or whatever. > > > > The latter option sounds simplest. Two other thing I'd suggest: > 1) Having the newest version already in attic/ . That way, there's already > a stable link if a package system is interested in that particular build. > 2) Having a checksum on the server for the source tarballs (LATEST.sha?). > The recent SquirrelMail vulnerability[1] shows that the source poisoning > method is used in the wild. (Yes, an attacker will change the checksum on the > affected server, but a user can verify against a checksum from a different > mirror from the one downloading LATEST). I'm no expert at this, but MD5 > sounds like it's about to be broken for verification, so I'd suggest using a > SHA-based method. > > [1] > http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw > > Yours, > Yair K.
Hello, As a gentoo ebuild maintainer, I think that for us the easier way would be to keep the versioning scheme, and have all the files in the same dir so that it will be be easier to maintain older versions without changing the ebuilds. The versioning scheme would be irrelevant, if it is monotonic and consistent in time. If you feel like having each license in another dir, I don't mind. Also, the LATEST symlink would be irrelevant for us because we use MD5 and SHA hashes that must be re-generated for each new version. The most important is that different versions shouldn't have the same name, but instead increase the version number if the file/hash was changed. Best regards, Cristi _______________________________________________ oss-devel mailing list oss-devel@mailman.opensound.com http://mailman.opensound.com/mailman/listinfo/oss-devel
