On Mon, Jul 31, 2023 at 7:28 PM Robin Candau <an...@archlinux.org> wrote:
> - Speaking of sources, any reason why you `git clone` the repo against a > specific tag instead of using a tag's archive? [3] Using a tag's archive > would allow you to check the integrity of the downloaded sources (rather > than skipping it). If you do so, I suggest using a stronger hash > algorithm than md5. Using `sha256` or stronger is the standard now. You > could also drop the `git` make dependency. > The autogenerated archives aren't guaranteed to be stable. I would not use them at all. See: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/ I also dislike using refs, as they can be overwritten. I would recommend pinning to a specific commit.
