On Thu, Nov 15, 2018 at 06:51:31PM -0500, Daniel M. Capella via aur-general wrote:
Quoting Eli Schwartz via aur-general (2018-11-15 00:52:50)
On 11/14/18 11:50 PM, Daniel M. Capella via aur-general wrote:
Quoting Levente Polyak via aur-general (2018-11-14 17:00:38)
- tests are awesome <3 run them whenever possible! more is better! pulling sources from github is favorable when you get free tests and sometimes manpages/docs
Will work with the upstreams to distribute these. I prefer to use published offerings as they are what the authors intend to be used. GitHub autogenerated tarballs are also subject to change: https://marc.info/?l=openbsd-ports&m=151973450514279&w=2
I've seen the occasional *claim* that this happens, but I've yet to see any actual case where this happens and it isn't because of upstream force-pushing a tag.
GitHub is supposed to use git-archive(1) for this, which is guaranteed to be reproducible when generating .tar, although in theory post-filtering this through a compressor like gzip can result in changes from one version of git to another. I say in theory because I don't recall this ever happening, and git-archive uses the fairly boring defaults.
I don't see any reason to use substandard sources in order to avoid checksum problems I don't believe in.
Those guidelines are mainly in the context of the python ecosystem. There are no prefferences, only options. If tests, manpages or sources are missing from the pypi mirrors because of mismanagement from upstream, then they are indeed substandard.