I took a stab at creating a patch that I think addresses most of the comments I saw in this thread, would love feedback in https://issues.apache.org/jira/browse/CASSANDRA-18204 <https://issues.apache.org/jira/browse/CASSANDRA-18204>
Given that the leading solution is git submodules I went down this path and fleshed out the things I saw in this thread. I don’t think this patch is 100% perfect (been trying to figure out release logic to confirm) so would love to here places that I neglected or problem areas found! > On Jan 20, 2023, at 6:48 AM, Mick Semb Wever <m...@apache.org> wrote: > > > Both a git post-checkout and a build fail-fast will protect us here. But the > post-checkout will need to fail silently if the .git subdirectory doesn't > exist. > > Correction: the build fail-fast will need to fail silently if the .git > subdirectory doesn't exist. > > How will this work for users downloading source distributions? > > It is presumed that the source found in the submodule is on the correct SHA. > The integrity checks are in place when creating and when voting on the source > tarball release. This means that the the build of the submodule has to be > part of the in-tree build (which I have assumed already).