Cristi Magherusan wrote: > On Thu, 2008-01-17 at 19:28 +0200, Yair K. wrote: >> On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote: >>> Hi, >>> >>> While I agree with this, how do we specify the build id in the package >>> name? >>> >>> We can guarantee that whatever is in the stable/$LICENSE is always the >>> latest - you will only find ONE bz2 file there. >>> >>> The other option is we rename as follows: >>> sources/stable/oss-4.0-stable-<license>.tar.bz2 >>> But you never know what version this file is. >>> >>> >>> Yet another option is that we have a symlink: >>> LATEST -> oss-4.0-<buildid>-<license>-tar.bz2 >>> Then you pull down LATEST using wget or whatever. >>> >> The latter option sounds simplest. Two other thing I'd suggest: >> 1) Having the newest version already in attic/ . That way, there's >> already >> a stable link if a package system is interested in that particular build. >> 2) Having a checksum on the server for the source tarballs (LATEST.sha?). >> The recent SquirrelMail vulnerability[1] shows that the source poisoning >> method is used in the wild. (Yes, an attacker will change the checksum on >> the >> affected server, but a user can verify against a checksum from a different >> mirror from the one downloading LATEST). I'm no expert at this, but MD5 >> sounds like it's about to be broken for verification, so I'd suggest using a >> SHA-based method. >> >> [1] >> http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw >> >> Yours, >> Yair K. > > Hello, > > As a gentoo ebuild maintainer, I think that for us the easier way would > be to keep the versioning scheme, and have all the files in the same dir > so that it will be be easier to maintain older versions without changing > the ebuilds. The versioning scheme would be irrelevant, if it is > monotonic and consistent in time. > > If you feel like having each license in another dir, I don't mind. Also, > the LATEST symlink would be irrelevant for us because we use MD5 and SHA > hashes that must be re-generated for each new version. > > The most important is that different versions shouldn't have the same > name, but instead increase the version number if the file/hash was > changed. > > Best regards, > > Cristi > > _______________________________________________ > oss-devel mailing list > oss-devel@mailman.opensound.com > http://mailman.opensound.com/mailman/listinfo/oss-devel >
Hi, Another idea is that we separate all the distros according to license - so stuff from the attic will be moved to the appropriate license directory and in each directory we have: LATEST-IS-BUILD1013 -> oss-v4.0-build1012-gpl.tar.bz2 Take a look now. regards Dev Mazumdar ----------------------------------------------------------- 4Front Technologies 4035 Lafayette Place, Unit F, Culver City, CA 90232, USA. Tel: (310) 202 8530 URL: www.opensound.com Fax: (310) 202 0496 Email: [EMAIL PROTECTED] ----------------------------------------------------------- _______________________________________________ oss-devel mailing list oss-devel@mailman.opensound.com http://mailman.opensound.com/mailman/listinfo/oss-devel
