1 |
On Wed, 11 Nov 2020 19:38:35 -0500 |
2 |
Rich Freeman <rich0@g.o> wrote: |
3 |
|
4 |
> I just host stuff like that on my dev webspace, or better yet on |
5 |
> github or something else that will auto-tarball stuff. |
6 |
|
7 |
Oh, yeah, and don't rely on github auto-tarball stuff. |
8 |
|
9 |
History has demonstrated github sometimes "forgets" their cached copies |
10 |
of those tarballs, and then later when requested, it will regenerate |
11 |
them fresh ... but with different SHAsums. |
12 |
|
13 |
If you're gonna use github for tarballs, roll that tarball yourself, |
14 |
and attach it to a "release", manually and explicitly, and then use the |
15 |
URL to the release asset. |
16 |
|
17 |
Only then can you be sure: |
18 |
|
19 |
a) Of what the tarball actually contains |
20 |
b) Of what the tarballs SHAsum will be |