Nico Kadel-Garcia
2010-10-02 15:49:02 UTC
Date: Fri, 01 Oct 2010 13:55:23 +0200
From: "Yury V. Zaytsev" <yury at shurup.com>
Subject: Re: [suggest] How to introduce git hosted projects to RPMforge?
committed to the SVN directly, but this is done on a per-package basis
and certainly doesn't scale.
Karanbir was offering to set up a DAV site, but there wasn't really
enough demand to pursue this suggestion.
Actually, it doesn't matter so much, because even a DAV set up does not
solve the trust issue. E.g. either way, I will be uploading the tarballs
to this storage, so I might very well just host it on my box. You have
to trust me that I didn't fiddle with the sources, because there is no
official reference source tarball provided by upstream you can compare
the checksums against.
Builds from checkouts are probably not going to be implemented anytime
soon, because it requires major changes to the infrastructure.
So as a practical conclusion, either you convince them to publish the
tarballs, which is something they certainly should consider or I can
host the tarbolls on my box in the mean time, which is not great.
--
Sincerely yours,
Yury V. Zaytsev
Yeah, it's a problem. If the tarball included the ".git" directories,From: "Yury V. Zaytsev" <yury at shurup.com>
Subject: Re: [suggest] How to introduce git hosted projects to RPMforge?
Does RPMforge have a setup that can build from Subversion checkouts?
No.Or does someone ahve a better suggestion how to get this into
Subversion, other than my personally hosting a fork and publishing
tarballs?
Right now, as a workaround, some of the package source archives areSubversion, other than my personally hosting a fork and publishing
tarballs?
committed to the SVN directly, but this is done on a per-package basis
and certainly doesn't scale.
Karanbir was offering to set up a DAV site, but there wasn't really
enough demand to pursue this suggestion.
Actually, it doesn't matter so much, because even a DAV set up does not
solve the trust issue. E.g. either way, I will be uploading the tarballs
to this storage, so I might very well just host it on my box. You have
to trust me that I didn't fiddle with the sources, because there is no
official reference source tarball provided by upstream you can compare
the checksums against.
Builds from checkouts are probably not going to be implemented anytime
soon, because it requires major changes to the infrastructure.
So as a practical conclusion, either you convince them to publish the
tarballs, which is something they certainly should consider or I can
host the tarbolls on my box in the mean time, which is not great.
--
Sincerely yours,
Yury V. Zaytsev
it could be verified against the upstream git repository: git is
vastly superior to Subversion for such verification, especially if the
upstream can be convinced to publish GPG signed tags, which is a
fascinating and incredibly useful git feature.
Considering that this software is handling user logins and SSH
authentication, I'm pretty deeply concerned about the trust issue.
I'll take it up upstream.