Source URL guidelines (was Re: source file audit - 2009-02-15)
Michael Schwendt
mschwendt at gmail.com
Sun Feb 22 14:26:42 UTC 2009
On Sun, 22 Feb 2009 13:35:13 +0100, Ralf wrote:
> > There still is the URL tag which can be used to search for [and verify!]
> > new download locations during a "legal review".
>
> Yes, chasing URLs is the last resort. You can't be seriously wanting
> this to be the norm?
Not "the norm", but acceptable in all the cases where the originally
working Source-URL no longer works.
In particular, packagers and reviewers must visit upstream web sites
and verify release-versions and download-locations manually anyway.
They could simply run spectool, rely on the accuracy of the Source-URL,
and download a tarball without visting web pages => but that would be
sloppy.
> >> and to prevent Fedora from being vulnerable from upstream dynamics
> >> (low quality random snapshots, bugs, compromised upstreams, etc.)
> >
> > ?! A static Source-URL alone doesn't achieve that alone.
> Right, but comparing tarballs against those found on URLs does.
Not everything you mention above. - Well, occasionally it may find
tarballs which have changed, but it cannot verify any of the exceptions
covered by the Source URL Guidelines. Also, can you show some statistics
about how often this leads to something beneficial (such as brown
paper-bag bug-fixes)?
| danms:BADSOURCE:libcmpiutil-0.4.tar.gz:libcmpiutil
$ md5sum libcmpiutil-0.4.tar.gz
48132314c5cbeb87d1c9e561f1c86b2b libcmpiutil-0.4.tar.gz
$ cat sources
7ee1bb889c25e8ddc3b099b34ef159a5 libcmpiutil-0.3.tar.gz
78ca0dbcde4b1ceba6677f1f2fa6a90f libcmpiutil-0.4.tar.gz
diff -Nur libcmpiutil-0.4-orig/aclocal.m4 libcmpiutil-0.4-new/aclocal.m4
-# generated automatically by aclocal 1.10.1 -*- Autoconf -*-
+# generated automatically by aclocal 1.10 -*- Autoconf -*-
# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-# 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2005, 2006 Free Software Foundation, Inc.
[...]
...and so on. Both released on the same day. 2008-05-20. The newer one
is an hour older. ;) Packager is upstream.
[sf.net download urls]
> The real purpose these days is to be able to compare an *.src.rpm's
> sources against those to be found on the given URL.
| MUST: The package must meet the Packaging Guidelines .
|
|-> https://fedoraproject.org/wiki/Packaging/Guidelines#tags
|--> https://fedoraproject.org/wiki/Packaging/SourceURL
|---> https://fedoraproject.org/wiki/Packaging/SourceURL#Sourceforge.net
Fortunately, the current wording does not read like a strict MUST.
It's a pain if reviewers insist on getting other sf.net urls fixed,
and wget/curl/lftp cannot connect to the recommended url. In such
a case, I'm willing to treat this guideline as "not mandatory" and
put such urls in comments only. Rationale can be found in the main
ReviewGuidelines:
| MUST: The sources used to build the package must match the upstream
| source, as provided in the spec URL.
If "the spec URL" doesn't work, all that can be done is to choose from the
remaining [and working!] download options, e.g. direct links to the
mirrors.
More information about the fedora-devel-list
mailing list