Mailinglist Archive: opensuse-factory (837 mails)

< Previous Next >
Re: [opensuse-factory] New policy proposal for Factory: Make source of tar balls trackable
On Mon, 21 Mar 2011, Adrian Schröter wrote:

Am Montag, 21. März 2011, 11:25:06 schrieb Richard Guenther:
On Mon, 21 Mar 2011, Adrian Schröter wrote:


Hi,

I like to propose a new policy for Factory regarding our package source
handling with
the goal that our package sources are upgradable, modifyable and
trustable by any
other developer.

Please find my proposal here:

http://lizards.opensuse.org/2011/03/21/policy-proposal-for-factory-make-source-of-tar-balls-trackable/

And please drop some comments as reply to this mail :)

The use of source services makes the build process less transparent
(how do you build such with just rpmbuild?

In exact the same way.

Build once in OBS and then
download a source rpm?). Why not just provide tarball URL and MD5/SHA
checksum in the rpm spec file?

Exactly this is this proposal.

I really do not like adding other
non-standard metadata ontop of what we already have.

OBS can then simply _verify_ the integrity of the local tarball
instead of downloading some random tarball from some random site
(you proposal does not add any way to ensure that the tarball
stays valid - consider somebody replacing the tarball upstream).
Re-downloading the tarball isn't such a check as we no longer would
provide a first known-good one.

Btw, I think we already discussed this topic enough so I'm sort-of
disappointed with that proposal.

Please read it ;)

I did. It nowhere mentions spec files but only source services
and new kind of URLs.

Richard.

--
Richard Guenther <rguenther@xxxxxxx>
Novell / SUSE Labs
SUSE LINUX Products GmbH - Nuernberg - AG Nuernberg - HRB 16746 - GF: Markus Rex
< Previous Next >