8 Aug
2023
8 Aug
'23
12:11 p.m.
On Mon, Jul 31, 2023 at 7:28 PM Robin Candau <antiz@archlinux.org> wrote:
- Speaking of sources, any reason why you `git clone` the repo against a specific tag instead of using a tag's archive? [3] Using a tag's archive would allow you to check the integrity of the downloaded sources (rather than skipping it). If you do so, I suggest using a stronger hash algorithm than md5. Using `sha256` or stronger is the standard now. You could also drop the `git` make dependency.
The autogenerated archives aren't guaranteed to be stable. I would not use them at all. See: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code... I also dislike using refs, as they can be overwritten. I would recommend pinning to a specific commit.