[openstack-dev] [all] [stable] No longer doing stable point releases
mrunge at redhat.com
Mon Jun 1 10:25:50 UTC 2015
On 01/06/15 12:10, Flavio Percoco wrote:
> Is this a real problem? What are *tarball timestamps* used for in the
> packaging world?
> I'm sure there's a way we can workaround this issue.
timestamps just give you a hint, how old the source actually is, not
when a packager downloaded the tarball somewhere. It just gives you a
more realistic idea, how ancient the ancient code release is.
>> And: you probably want some hashes to verify, your downloaded tarball
>> is actually, what you wanted.
> These can be generated as well. You can generate a tarball hash for
> each commit and keep it around. The hash shouldn't change if the
> tarball is generated on-the-fly. You could actually generate it
> on-the-fly as well.
Sure, you can. You still need to provide that info. Ideally you'd
prepare a signed file containing your hash.
I mean, something comparable to:
(for CentOS 7 iso files).
More information about the OpenStack-dev