[Dev] FWD: [openbsd-ports] Porters, please read re GitHub auto-generated tarballs vs releases

bill-auger bill-auger at peers.community
Sat Mar 3 02:03:03 GMT 2018

On 03/02/2018 04:18 PM, Luke Shumaker wrote:
> On 2018-02-27 at 12:28:07
> Stuart Henderson wrote:
>> Many ports are using github's on-the-fly generated source-code tarballs
>> via the GH_ variables in Makefiles.
> Though I wonder if that's intentional/allowed, or if it's really just
> a bug in GitHub.
>> :   "It is not meant to be reliable or a way to distribute software
>> :   releases and nothing in the software stack is made to try to
>> :   produce consistent archives."
> I can't seem to find a source for that quote.

i would like to see that documentation also

i dont know what those the GH_ variables in Makefiles actually do - but
i can say from my experience that the github auto-generated "releases"
that are based on git tags seem to be exactly what you get with the `git
archive` command - i use a git commit hook that creates the tarball with
`git archive` then signs it with GPG then downloads the auto-generated
tarball from github and compares the local signature against the remote
tarball before uploading the signature and i have not seen any
in-consistency - maybe the "tagged" releases are more stable or maybe i
have just been lucky i dunno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20180302/58f2eee7/attachment.sig>

More information about the Dev mailing list