On Mon, Jul 31, 2023 at 7:28 PM Robin Candau <antiz@archlinux.org> wrote:

- Speaking of sources, any reason why you `git clone` the repo against a
specific tag instead of using a tag's archive? [3] Using a tag's archive
would allow you to check the integrity of the downloaded sources (rather
than skipping it). If you do so, I suggest using a stronger hash
algorithm than md5. Using `sha256` or stronger is the standard now. You
could also drop the `git` make dependency.

The autogenerated archives aren't guaranteed to be stable. I would not use them at all. See:

https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/

I also dislike using refs, as they can be overwritten. I would recommend

pinning to a specific commit.