On 11/16/18 12:51 AM, Daniel M. Capella via aur-general wrote:
Quoting Eli Schwartz via aur-general (2018-11-15 00:52:50)
On 11/14/18 11:50 PM, Daniel M. Capella via aur-general wrote:
Quoting Levente Polyak via aur-general (2018-11-14 17:00:38)
- tests are awesome <3 run them whenever possible! more is better! pulling sources from github is favorable when you get free tests and sometimes manpages/docs
Will work with the upstreams to distribute these. I prefer to use published offerings as they are what the authors intend to be used. GitHub autogenerated tarballs are also subject to change: https://marc.info/?l=openbsd-ports&m=151973450514279&w=2
I've seen the occasional *claim* that this happens, but I've yet to see any actual case where this happens and it isn't because of upstream force-pushing a tag.
GitHub is supposed to use git-archive(1) for this, which is guaranteed to be reproducible when generating .tar, although in theory post-filtering this through a compressor like gzip can result in changes from one version of git to another. I say in theory because I don't recall this ever happening, and git-archive uses the fairly boring defaults.
I don't see any reason to use substandard sources in order to avoid checksum problems I don't believe in.
"substandard" 🤔 https://wiki.archlinux.org/index.php/Python_package_guidelines#Source
Does the wiki really need to be overly specific when its sane to use which source? Especially when you have one that gives tests, docs and signatures and the other not? Or do we really expect to have a paragraph to explicitly allow building python from the original unprocessed main sources as well? I don't think so.