On Mon, 21 Mar 2011, Adrian Schröter wrote:
Hi,
I like to propose a new policy for Factory regarding our package source handling with the goal that our package sources are upgradable, modifyable and trustable by any other developer.
Please find my proposal here:
http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-s ource-of-tar-balls-trackable/
And please drop some comments as reply to this mail :)
The use of source services makes the build process less transparent (how do you build such with just rpmbuild? Build once in OBS and then download a source rpm?). Why not just provide tarball URL and MD5/SHA checksum in the rpm spec file? I really do not like adding other non-standard metadata ontop of what we already have. Actually, this is what I'd like to see too. However, AFAIK the download_url service already uses the URL found in the Source tag. Having that info
On Monday 21 March 2011 11:25:06 Richard Guenther wrote: directly in the spec file seems sanest: Source0: http://foo.com/bar.tgz Source0-MD5: 1234567 Source0-SHA1: 1234567
OBS can then simply _verify_ the integrity of the local tarball instead of downloading some random tarball from some random site (you proposal does not add any way to ensure that the tarball stays valid - consider somebody replacing the tarball upstream). Re-downloading the tarball isn't such a check as we no longer would provide a first known-good one. -- Mit freundlichen Grüßen, Sascha Peilicke http://saschpe.wordpress.com