1 |
On Sun, 15 Nov 2020 11:03:29 +1300 |
2 |
Kent Fredric <kentnl@g.o> wrote: |
3 |
|
4 |
> On Wed, 11 Nov 2020 19:38:35 -0500 |
5 |
> Rich Freeman <rich0@g.o> wrote: |
6 |
> |
7 |
> > I just host stuff like that on my dev webspace, or better yet on |
8 |
> > github or something else that will auto-tarball stuff. |
9 |
> |
10 |
> Oh, yeah, and don't rely on github auto-tarball stuff. |
11 |
> |
12 |
> History has demonstrated github sometimes "forgets" their cached copies |
13 |
> of those tarballs, and then later when requested, it will regenerate |
14 |
> them fresh ... but with different SHAsums. |
15 |
> |
16 |
> If you're gonna use github for tarballs, roll that tarball yourself, |
17 |
> and attach it to a "release", manually and explicitly, and then use the |
18 |
> URL to the release asset. |
19 |
> |
20 |
> Only then can you be sure: |
21 |
> |
22 |
> a) Of what the tarball actually contains |
23 |
> b) Of what the tarballs SHAsum will be |
24 |
|
25 |
I'm not claiming this has never actually happened but I use these |
26 |
GitHub tarballs *a lot* and I don't recall ever seeing it. Does anyone |
27 |
know for sure that it's happened in, say, the last 3 years? It's a lot |
28 |
of extra work for a problem that may no longer exist or is so rare that |
29 |
it's just not worth the effort. |
30 |
|
31 |
-- |
32 |
James Le Cuirot (chewi) |
33 |
Gentoo Linux Developer |