Source URL guidelines (was Re: source file audit - 2009-02-15)
Ralf Corsepius
rc040203 at freenet.de
Sun Feb 22 14:52:00 UTC 2009
Michael Schwendt wrote:
> On Sun, 22 Feb 2009 13:35:13 +0100, Ralf wrote:
>
>>> There still is the URL tag which can be used to search for [and verify!]
>>> new download locations during a "legal review".
>> Yes, chasing URLs is the last resort. You can't be seriously wanting
>> this to be the norm?
>
> Not "the norm", but acceptable in all the cases where the originally
> working Source-URL no longer works.
If a source-url doesn't work, the packager should update the URL and
respin the package
> In particular, packagers and reviewers must visit upstream web sites
> and verify release-versions and download-locations manually anyway.
Right, as well as arbitrary people, who are investigating bugs, people
want to reuse a package etc.
>>>> and to prevent Fedora from being vulnerable from upstream dynamics
>>>> (low quality random snapshots, bugs, compromised upstreams, etc.)
>>> ?! A static Source-URL alone doesn't achieve that alone.
>> Right, but comparing tarballs against those found on URLs does.
>
> Not everything you mention above. - Well, occasionally it may find
> tarballs which have changed, but it cannot verify any of the exceptions
> covered by the Source URL Guidelines.
Please Michael, you are beginning to sound laughable.
A broken URL is a _hint_ that something might be in limbo.
A URL alone doesn't buy you anything.
> | danms:BADSOURCE:libcmpiutil-0.4.tar.gz:libcmpiutil
>
> $ md5sum libcmpiutil-0.4.tar.gz
> 48132314c5cbeb87d1c9e561f1c86b2b libcmpiutil-0.4.tar.gz
>
> $ cat sources
> 7ee1bb889c25e8ddc3b099b34ef159a5 libcmpiutil-0.3.tar.gz
> 78ca0dbcde4b1ceba6677f1f2fa6a90f libcmpiutil-0.4.tar.gz
>
> diff -Nur libcmpiutil-0.4-orig/aclocal.m4 libcmpiutil-0.4-new/aclocal.m4
> -# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
> +# generated automatically by aclocal 1.10 -*- Autoconf -*-
>
> # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
> -# 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
> +# 2005, 2006 Free Software Foundation, Inc.
> [...]
>
> ...and so on. Both released on the same day. 2008-05-20. The newer one
> is an hour older. ;) Packager is upstream.
Packager is doing a bad job.
> Fortunately, the current wording does not read like a strict MUST.
Have you been to a beginners seminar of "rhetoric tricks"?
The wording has always intended to be a must.
More information about the fedora-devel-list
mailing list