Hi Dan, On Fri, May 01, 2009 at 05:51:33PM -0700, Dan Price wrote: > > Please review these fixes: > > 8602 tidy top level of source directory > > This moves the "external" stuff like cherrypy, ply, etc. into a subdir, > and moves the smf stuff into a subdir. It deletes bump-server. > > 8603 build process should try to validate downloaded bits > > Should be self-explanatory, I chose to use sha256 hashes, and when we > go to py2.5 we should change from using 'digest' to hashlib. > > http://cr.opensolaris.org/~dp/pkg-src-cleanup/
The code changes look fine to me. I'm a little nervous about requiring a file hash for downloads where we're always requesting the version as latest. It seems like that might lead us to an involuntary hash failure if the upstream provider releases a new version and we don't have the hash. I took a look at a bunch of the packages we're downloading. None of the publishers seem to include md5 sums, which used to be standard for distributing software. I was going to suggest that we try to download the md5 sum of a software tarball along with the tarball itself, at least if we were going to try to download the lastest version. Given that it doesn't seem feasible for the packages that we've chosen, perhaps it makes more sense to always download a pre-determined version. -j _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
