[Fedora-packaging] Is md5sum compulsion in review instead sha1sum?
nicolas.mailhot at laposte.net
Wed Oct 14 19:17:43 UTC 2009
Le Mer 14 octobre 2009 20:56, Jason L Tibbitts III a écrit :
>>>>>> "NM" == Nicolas Mailhot <nicolas.mailhot at laposte.net> writes:
> NM> This is something for the BADURL script or autoqa, IMHO. The ROI on
> NM> doing it manually, and only on the initial submission, is pretty
> NM> low.
> Well, so far I've caught many, many instances of improper URLs, several
> cases where the packager had modified the tarball and not realized that
> was problematic, and a few instances where the tarball needed to be
> modified but the packager hadn't documented the reasons or the necessary
> changes in accordance with our guidelines. All of those are things that
> need to be done in review, before the import, because the point is to
> actually check the packages before they're imported to guard against
> errors where the packager simply isn't aware of the proper way to do
I'm sure I don't need to remind you that last time I asked to add something to
the checklist FPC/FESCO argued is was too long already and even if there were
many many cases where it caused problems later on it was not worth listing it
explicitely. The checksum test is clearly in the same category (and even less
worth it because it's already checked automatically).
> Letting crap get in and then mailbombing the packager with
> autoqa mail (which doesn't even exist at this point) isn't friendly to
> either the packager or the distribution.
Well I'm afraid I've now spent quite a long time writing a mailbomber, because
I was told the checklist is of-limits for rules that only catch marginal
problems. I really do not see what makes the checksum test any more special or
More information about the Fedora-packaging