Open Stack

On 01/06/15 12:10, Flavio Percoco wrote:

> Is this a real problem? What are *tarball timestamps* used for in the
> packaging world?
>
> I'm sure there's a way we can workaround this issue.

timestamps just give you a hint, how old the source actually is, not 
when a packager downloaded the tarball somewhere. It just gives you a 
more realistic idea, how ancient the ancient code release is.
>
>>
>> And: you probably want some hashes to verify, your downloaded tarball
>> is actually, what you wanted.
>
> These can be generated as well. You can generate a tarball hash for
> each commit and keep it around. The hash shouldn't change if the
> tarball is generated on-the-fly. You could actually generate it
> on-the-fly as well.
Sure, you can. You still need to provide that info. Ideally you'd 
prepare a signed file containing your hash.

I mean, something comparable to:

http://centos.bio.lmu.de/7/isos/x86_64/sha256sum.txt.asc

(for CentOS 7 iso files).


Matthias