[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Heads-up: brand new RPM version about to hit rawhide

Doug Ledford <dledford <at> redhat.com> writes:
> First, before I respond to the rest of this, keep in mind that the
> "overwhelming majority" of packages needs to be quantified.
> Furthermore, at least one very significant package (the kernel) does not
> massage files at all between SCM tag and tarball.  And to be honest, I
> would be very surprised to find many projects that do have any
> significant difference between a tagged release in the SCM of their
> choice and their tarballs.  So I would like some examples please, which
> shouldn't be hard to come up with since it is the "overwhelming
> majority" of projects that obviously think when they tag something in
> their SCM it doesn't need to match the tarball they make with the same
> tag version...

Many packages don't have a public SCM at all; some have a private SCM, some 
one-man projects have no SCM at all. (For example, there is _no_ SCM for 
Quarticurve and Quarticurve-KWin, unless you call fully exploded copies of old 
versions sitting around on my HDD an "SCM".)

And even if they use an SCM, they can:
* make releases without tags: For example, the weekly trunk snapshots of KDE 
don't get tags, nor do the extragear tarball releases.
* modify tags: This is particularly common in Subversion which allows using a 
tag like a branch. KDE normally uses the following workflow:
1. tag release
2. prerelease tarballs from the tags to packagers
3. fix any showstoppers by merging fixes to the tag
4. respin tarballs for the modules which were thus fixed
5. make the release public
so the contents of the tag can change between when we first build the package 
and the public release of the new version. The checksummed tarballs handle this 
robustly, we can just upload a new respun tarball with a new checksum. But 
automatically picking up a respin can break the build because sometimes we had 
a showstopper fix as a patch, which of course no longer applies if the release 
is respun including the fix, so building from whatever the current contents of 
the tag are rather than from whatever we used breaks reproducibility of builds.
* require postprocessing: It's not just autotools which are a problem there. 
For example, the KDE extragear releases use a fairly clever script collecting 
translations from elsewhere in the SVN repository.

        Kevin Kofler

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]