On Tue, Jun 02, 2015 at 02:59:00PM +0200, Christoph Lohmann wrote: > I could push out more releases and tag nearly every new feature that’s > stable, if you like. But here’s my view that struggles me. I am using > releases to reconsider what’s done in the project and what could be done > next. Just tagging it would be a soft hint for you what’s changed. This > would be solved by having a simple Changelog file in the project, which > I would accept. > > But you being a packager, here’s my most important question: Do you need > the checksum of the tarball? If not, then the link to the cgit interface > would be enough for download. This saves much time in the release gener‐ > ation.
Due to how we do things in Arch, I don't need a checksum provided by the upstream, no. I download it once, record the checksum in the PKGBUILD, build the package and test it. The checksum is needed more for the benefit of knowing that you are building the same thing as the packager did, not for any actual verification of the source. That would require a proper signature.
signature.asc
Description: Digital signature
