On Mon, Mar 31 2025 at 10:53:54 AM +00:00:00, Zbigniew
Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
This is only "SHOULD", because sometimes the git tarball is too large
or has other deficiencies. Another reason is that the "upstream
tarball" may be signed, and that'd be preferred to the unsigned "raw"
archive. But those should be rare exceptions.
Hm, I agree that using a forge-generated tarball is possibly safer than
using a GPG-signed upstream release tarball. I tried this for WebKitGTK:
https://codeload.github.com/WebKit/WebKit/tar.gz/refs/tags/webkitgtk-2.48.0
And just received an error: 422: Archive creation is blocked
So I tried to create my own archive manually, although this only shifts
rather than eliminates the risk that the tarball may be maliciously
modified relative to the git repo contents:
$ git archive @ > archive.tar
$ xz archive.tar
After a minute or so of CPU heating, the result is 1.4 GB, compared to
44 MB for the upstream release tarball. I suspect that size difference
may be possibly significant for our infrastructure, considering how
often I upload new tarballs? Also, the RPM's License field would be
different as there is much, much more code in the git repo, including
GPL-incompatible licenses.
So yeah, you anticipated these complaints already: it doesn't work well
for all projects.
Michael
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
