https://bugzilla.redhat.com/show_bug.cgi?id=1198342
--- Comment #31 from Michael Schwendt (Fedora Packager Sponsors Group) <[email protected]> --- Reproducibility/comparability. A snapshot Source URL giving 404 Not Found is no better than a tarball created by the packager. It may contain too many changes compared with the last/current official release. => It may get difficult to compare its contents with upstream sources, unless there is documentation about how to recreate the tarball. => It may get difficult to check the tarball contents for trojans (e.g.), if you don't know how to recreate the tarball from an uncompromised source code management system. > An upstream project could delete their old major release tarballs monthly; Or become the victim of a break-in, not knowing whether any tarball releases and the SCM contents have been modified. That has happened before. Tarball checksums and copies found in a distribution's package collection then may be helpful. The checkout date of a snapshot (which may differ a lot from an RPM %changelog date) then can be helpful, too. Comparing the checkout dates of two packages also is much more readable than comparing e.g. "git35" and "git36". It's good that we've talked about it. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-review
