Source URL guidelines (was Re: source file audit - 2009-02-15)
Ralf Corsepius
rc040203 at freenet.de
Sun Feb 22 06:37:28 UTC 2009
Tom Lane wrote:
> Kevin Fenzi <kevin at scrye.com> writes:
>> Here's attached another run of my sources/patches url checker.
>
> I've got several failures in this list, which reminds me that there's a
> pretty serious problem with the entire concept of source URL as defined at
> https://fedoraproject.org/wiki/Packaging/SourceURL
>
> Namely, that it assumes there's a nice static URL for you to point at.
Right.
> I don't know what an appropriate set of rules is, but I wish that the
> Source-URL packaging guidelines bore some resemblance to the real world
> of modern web design. (Or misdesign, perhaps, but that's what's out
> there.) The special exception for sourceforge needs to be replaced
> with some more general discussion of what to do with bizarre website
> layouts.
The whole point behind Source-URL rules is to have a reliable,
deterministic URL from which a package can be retrieved from for e.g.
verification (e.g checksum), legal reviews, tracking origins of packages
etc. and to prevent Fedora from being vulnerable from upstream dynamics
(low quality random snapshots, bugs, compromised upstreams, etc.)
That said, the sourceforge rule is a "best practice's hint" to _prevent_
users from populating source-urls with one of sourceforge's mirror.
<cite>
For packages hosted on sourceforge, use
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
changing ".tar.gz" to whatever matches the upstream distribution. Note
that we are using downloads.sourceforge.net instead of an arbitrarily
chosen mirror.
</cite>
=> There is no sourceforge exception. It's converse: We explicitly
advise users to a static URL.
Ralf
More information about the fedora-devel-list
mailing list