Missing source release archive for 0.28.1 and 0.28.2 #2821
Comments
|
@kevinbackhouse |
diizzyy
changed the title
|
Aren't these what you're looking for? |
I think what he's saying is that one shouldn't rely on GitHub auto-generated tarballs as they can change, so any verification by hash is difficult/pointless long term... |
|
@kmilos |
|
@diizzyy: I don't understand what you want me to do. Please could you give me very precise instructions? Then I will consider it. |
|
@kevinbackhouse @nehaljwani The request is for a manually generated source tarball that is then manually added to release assets, like it was done for all releases up to 0.28.0: https://github.com/Exiv2/exiv2/releases/tag/v0.28.0 See Line 564 in 8414a98 |
|
I still don't understand what problem this would solve. If somebody is particularly concerned about verifying the authenticity of the code, surely they should get it from the git repository directly, rather than relying on a tarball that was uploaded manually? I put gpg-signed tags on v0.28.1 and v0.28.2 for that purpose. You can also download a tarball for an arbitrary commit like this: https://github.com/Exiv2/exiv2/archive/04207b9c39bf7b3b1a7144f7ed4e4f16b4f29ef6.zip |
As linked above, the GitHub auto-generated source tarballs are not permanent (only cached for a year), so their hash can change. Most distros use the tarball + hash in their packaging scripts so this is not a permanent solution. (One can argue that's not a good approach anyway, but that's besides the point here - there are way to many of them to force them to change straight away.) https://gitlab.archlinux.org/archlinux/packaging/packages/exiv2/-/blob/main/.SRCINFO?ref_type=heads etc. etc. |
Please generate one as it could help packaging a lot and also because of https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/
The text was updated successfully, but these errors were encountered: