diff mbox

[2/2,v2] manual: Add notes about GitHub and hashes

Message ID 65108fc814c42059f26b7690ccd505c0ebb6afb5.1430667367.git.yann.morin.1998@free.fr
State Accepted
Headers show

Commit Message

Yann E. MORIN May 3, 2015, 3:37 p.m. UTC 
From: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>

We can't take hashes from GitHub, unless the tarball has been uploaded by
the maintainer, otherwise it is generated and may change over time,
which renders hash files useless.

Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Samuel Martin <s.martin49@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

---
v3 -> v4 :
  - typo  (Arnout)

v2 -> v3 (YEM):
  - move the block down, to be with with the other "note"
  - add reference to the GitHub helper
  - small grammatical fix s/automated/automatically/

v1 -> v2:
  - Add changes as requested by Yann E. Morin
  - Reword the comment on released tarball
---
 docs/manual/adding-packages-directory.txt | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Peter Korsgaard May 4, 2015, 1:40 p.m. UTC | #1 
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > From: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
 > We can't take hashes from GitHub, unless the tarball has been uploaded by
 > the maintainer, otherwise it is generated and may change over time,
 > which renders hash files useless.

 > Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
 > Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
 > Cc: Samuel Martin <s.martin49@gmail.com>
 > Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 > Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

 > ---
 > v3 -> v4 :
 >   - typo  (Arnout)

 > v2 -> v3 (YEM):
 >   - move the block down, to be with with the other "note"
 >   - add reference to the GitHub helper
 >   - small grammatical fix s/automated/automatically/

 > v1 -> v2:
 >   - Add changes as requested by Yann E. Morin
 >   - Reword the comment on released tarball
 > ---
 >  docs/manual/adding-packages-directory.txt | 7 +++++++
 >  1 file changed, 7 insertions(+)

 > diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
 > index 6c478c2..fb3764e 100644
 > --- a/docs/manual/adding-packages-directory.txt
 > +++ b/docs/manual/adding-packages-directory.txt
 > @@ -442,6 +442,13 @@ strong hash yourself (preferably +sha256+, but not +md5+), and mention
 >  this in a comment line above the hashes.
 
 >  .Note
 > +If +libfoo+ is from GitHub (see xref:github-download-url[] for details), we
 > +can only accept a +.hash+ file if the package is a released (e.g. uploaded
 > +by the maintainer) tarball. Otherwise, the automatically generated tarball
 > +may change over time, and thus its hashes may be different each time it is
 > +downloaded, making the +.hash+ file irrelevant for that tarball.

I wouldn't call it irrelevant, it is more that the hash won't match the
tarball.

I've changed it to:

downloaded, causing a +.hash+ mismatch for that tarball.

And committed, thanks.
diff mbox

Patch

diff --git a/docs/manual/adding-packages-directory.txt b/docs/manual/adding-packages-directory.txt
index 6c478c2..fb3764e 100644
--- a/docs/manual/adding-packages-directory.txt
+++ b/docs/manual/adding-packages-directory.txt
@@ -442,6 +442,13 @@  strong hash yourself (preferably +sha256+, but not +md5+), and mention
 this in a comment line above the hashes.
 
 .Note
+If +libfoo+ is from GitHub (see xref:github-download-url[] for details), we
+can only accept a +.hash+ file if the package is a released (e.g. uploaded
+by the maintainer) tarball. Otherwise, the automatically generated tarball
+may change over time, and thus its hashes may be different each time it is
+downloaded, making the +.hash+ file irrelevant for that tarball.
+
+.Note
 The number of spaces does not matter, so one can use spaces (or tabs) to
 properly align the different fields.