On Wed, Nov 02, 2016 at 07:50:41PM +1100, Aleksa Sarai wrote:
It may be no big deal, but usually when I see a URL where the source tar is supposed to be from, it's usually verifiable as being there and, for the times I've checked, is usually the same tarball.
This is something I've had quite a few concerns about for a while -- there doesn't appear to be a clear policy in place for openSUSE about how we should reference the source of a package. In most cases it looks like a lot of maintainers have a "meh" attitude about it (which isn't great IMO).
Personally, when I create packages I use a disabled _service file that contains a link to the git repo (then I use `osc service disabledrun` and commit the .tar.xz generated). If you look in Virtualization:containers all of the packages are structured that way.
So maybe we should get some more concrete packaging guidelines on this point?
The package should be referenced by SOURCE URL in the .spec file. This can also be used with "osc service lr download_files", no need for a service file. If possible, specify the GPG signature and keyring. Documented on the WIKI: https://en.opensuse.org/openSUSE:Package_source_verification https://en.opensuse.org/SourceUrls Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org