I am very much in favor of continuing to improve reproducibility and auditability in general. However, as a general response to this discussion, I’d like to caution against writing new policies that implicitly rely on any of the following falsehoods: - All upstreams use some kind of forge, with features like automatic source archives for tags and commits - All upstreams use a VCS with public read access - All upstreams use a VCS - All package sources can be expressed as URLs - All correct source URLs yield stable/reproducible downloads - The processes upstreams use to produce “release” archives from raw VCS sources can always be imitated downstream - All necessary and useful packages in Fedora have active upstreams - All inactive upstreams still have at least some kind of archived web presence where a canonical copy of the last release can be downloaded It’s useful to provide guiding principles, and to provide concrete guidance for common cases, but it’s also important to acknowledge that Fedora packagers have to deal with a wide variety of upstreams and ecosystems, some of them deeply idiosyncratic. - Ben Beasley (FAS: music) -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
