[arch-dev-public] git packages and checksums
Dave Reisner
d at falconindy.com
Sun Jul 19 02:32:47 UTC 2015
On Sat, Jul 18, 2015 at 01:10:29PM -1000, Gaetan Bisson wrote:
> [2015-07-18 15:13:43 -0700] Anatol Pomozov:
> > On Sat, Jul 18, 2015 at 1:04 PM, Gaetan Bisson <bisson at archlinux.org> wrote:
> > > Instead I suggest we use the full commit hash. In the example above,
> > > that'd become something like:
> > >
> > > _commit=9a50ce20ef60263a6c88c29470ce761fcc424f2d
> > > source=("git://github.com/systemd/systemd.git#commit=$_commit")
> > > md5sums=('SKIP')
> >
> > Would it be better to improve *sums=() function to work with
> > directories? This will also help svn/hg based packages.
> >
> > A simple solution is to tar whole directory and then calculate the checksum:
> >
> > tar -c $DIR | md5sum
>
> This involves file attributes, so it seems the md5sum would change any
> time you do a new `git clone` even if no actual content has changed.
>
> Also I think the commit hash is an intrinsically better value because it
> is explicitly published by upstream. Just as checksums are (or should
> be) published next to release tarballs.
Tags are more explicitly published by upstreams than commit hashes. I'm
not sure I understand the benefit of switching. Why is it preferrable to
use the "value" rather than the "pointer"? What makes it better?
dR
More information about the arch-dev-public
mailing list