Hi On Sat, Jul 18, 2015 at 4:10 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2015-07-18 15:13:43 -0700] Anatol Pomozov:
On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
Instead I suggest we use the full commit hash. In the example above, that'd become something like:
_commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d source=("git://github.com/systemd/systemd.git#commit=$_commit") md5sums=('SKIP')
Would it be better to improve *sums=() function to work with directories? This will also help svn/hg based packages.
A simple solution is to tar whole directory and then calculate the checksum:
tar -c $DIR | md5sum
This involves file attributes, so it seems the md5sum would change any time you do a new `git clone` even if no actual content has changed.
tar has options to control file attributes added to the archive. For your case this will be '--mtime=0'. Instead of tar it is possible to use something like hashdeep [1] or just plain 'find' + {md5,sha1}sums. The point is that we already have a way to describe checksums for sources. It would be great to extend it to cases like VCS based releases (git, svn, hg, ...). [1] https://github.com/jessek/hashdeep/
Also I think the commit hash is an intrinsically better value because it is explicitly published by upstream. Just as checksums are (or should be) published next to release tarballs.
Cheers.
-- Gaetan