Heads-up: brand new RPM version about to hit rawhide
Kevin Kofler
kevin.kofler at chello.at
Mon Jul 14 16:48:49 UTC 2008
Doug Ledford <dledford <at> redhat.com> writes:
> First, before I respond to the rest of this, keep in mind that the
> "overwhelming majority" of packages needs to be quantified.
> Furthermore, at least one very significant package (the kernel) does not
> massage files at all between SCM tag and tarball. And to be honest, I
> would be very surprised to find many projects that do have any
> significant difference between a tagged release in the SCM of their
> choice and their tarballs. So I would like some examples please, which
> shouldn't be hard to come up with since it is the "overwhelming
> majority" of projects that obviously think when they tag something in
> their SCM it doesn't need to match the tarball they make with the same
> tag version...
Many packages don't have a public SCM at all; some have a private SCM, some
one-man projects have no SCM at all. (For example, there is _no_ SCM for
Quarticurve and Quarticurve-KWin, unless you call fully exploded copies of old
versions sitting around on my HDD an "SCM".)
And even if they use an SCM, they can:
* make releases without tags: For example, the weekly trunk snapshots of KDE
don't get tags, nor do the extragear tarball releases.
* modify tags: This is particularly common in Subversion which allows using a
tag like a branch. KDE normally uses the following workflow:
1. tag release
2. prerelease tarballs from the tags to packagers
3. fix any showstoppers by merging fixes to the tag
4. respin tarballs for the modules which were thus fixed
5. make the release public
so the contents of the tag can change between when we first build the package
and the public release of the new version. The checksummed tarballs handle this
robustly, we can just upload a new respun tarball with a new checksum. But
automatically picking up a respin can break the build because sometimes we had
a showstopper fix as a patch, which of course no longer applies if the release
is respun including the fix, so building from whatever the current contents of
the tag are rather than from whatever we used breaks reproducibility of builds.
* require postprocessing: It's not just autotools which are a problem there.
For example, the KDE extragear releases use a fairly clever script collecting
translations from elsewhere in the SVN repository.
Kevin Kofler
More information about the fedora-devel-list
mailing list