Gesendet: Montag, 15. August 2016 um 16:22 Uhr Von: "Bjoern Voigt" <bjoernv@arcor.de> An: opensuse-packaging@opensuse.org Betreff: [opensuse-packaging] Re: [opensuse-factory] Use of _service file
Axel Braun wrote:
_service file is a conveniant way to manage sources for a package automatically: Change the version number in the spec file, and it gets downloaded automatically. Unfortunately this is not allowed in many devel-repos or in Factory. That means additionally I have to provide the source-tarball OR run someting
Hi, like
osc service localrun download_files Personally I think, that _service files provide a slightly better security and I wonder, why the a bit more secure solution is forbidden in many devel-repos. It's easier to monitor small _service files than big tarballs for modifications.
Regardless of the tarball source (upload from a developer or download by OBS via _service file), I think, that the tarballs should be verified with GPG keys or SHA checksums. This verification is enabled in some Factory packages, but not in all.
That makes perfectly sense.
See the discussion here: [opensuse-factory] Build service and checksums for source code archive verification https://lists.opensuse.org/opensuse-factory/2016-08/msg00213.html
But coming back to the original scope of the mail - why automatic service runs are not allowed in Factory. I would have expected the whole community of package maintainers to step-up and grill me. Except Björn's comment I saw a mail from Oliver https://lists.opensuse.org/opensuse-factory/2016-08/msg00428.html complaining basically about the same fact. So, if we dont have hard reasons to give away this nice feature , why cant we enable it by default? Or at least, not complain about it in factory? Cheers Axel -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org