2010/7/12 Kevin Kofler <kevin.kof...@chello.at>: > Michel Alexandre Salim wrote: >> I experienced this recently with another project (openSUSE's build >> service client) -- GitHub lets you download a project's tagged >> snapshots as tarballs, but Gitorious does not have this functionality. > > But on-demand autogenerated tarballs are evil because they usually don't > have reproducible checksums, so there's no straightforward way to verify > that the tarball has not been altered. > > Kevin Kofler >
The autogenerted tarballs from original moblin VCS[1] are not evil :), they have a permanent checksums. Unfortunately, meego moved all packages to gitorious which don't have the same feature. So I suggest to use tarballs extracted from upstream SRPM[1] instead of pulling source files directly from VCS to be easier for checking md5sum. Is it forbidden by fedora packaging guideline? When we keep consistent with upstream RPM version, we can also report some bugs to meego bugzilla directly. [1]http://git.moblin.org/cgit.cgi/scim-panel-vkb-gtk/ [2]http://repo.meego.com/ Regards, Chen Lei -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
