This request supersedes:
request 1189771
(Show diff)
Overview
Request 1189772 accepted
refactor spec, change to obs_scm (no longer hardcoding the commit hash) and update to 1.3.6
- Created by ojkastl_buildservice
- In state accepted
-
Package maintainer:
msmeissn
- Supersedes 1189771
Loading...
Request History
ojkastl_buildservice created request
refactor spec, change to obs_scm (no longer hardcoding the commit hash) and update to 1.3.6
msmeissn declined request
No, we should use downloaded tarballs, not git checkouts.
msmeissn reopened request
reopen
msmeissn accepted request
ok
Hi Marcus,
than at least we should somehow check the sha256sums.
At we still have the hassle to hardcode the commit hash in the spec.
Hmm, too bad, there are no checksums for the source tarball available on the releases page.
I'll see if I can get them somewhere...
Apparently this is not possible unless the project includes the sha256sum into the release notes. Which rekor does not.
And only the official binaries are being signed, not the source tarball.
So I would like to revisit your statement again. Is having a source tarball more secure than a git checkout (which we already have in hundreds of other packages)?
I talked with the team, and actually it seems we are still undecided on whether to use scm or tarballs regarding the XZ aftermath.
So I will just put it through as-is.
I'll happily join in on any discussions regarding this, I would like to learn and understand the painpoints and caveats of the different approaches.
Have a nice weekend, Marcus!