[openstack-dev] [all] [stable] No longer doing stable point releases

Matthias Runge mrunge at redhat.com
Mon Jun 1 10:25:50 UTC 2015

On 01/06/15 12:10, Flavio Percoco wrote:

> Is this a real problem? What are *tarball timestamps* used for in the
> packaging world?
> I'm sure there's a way we can workaround this issue.

timestamps just give you a hint, how old the source actually is, not 
when a packager downloaded the tarball somewhere. It just gives you a 
more realistic idea, how ancient the ancient code release is.
>> And: you probably want some hashes to verify, your downloaded tarball
>> is actually, what you wanted.
> These can be generated as well. You can generate a tarball hash for
> each commit and keep it around. The hash shouldn't change if the
> tarball is generated on-the-fly. You could actually generate it
> on-the-fly as well.
Sure, you can. You still need to provide that info. Ideally you'd 
prepare a signed file containing your hash.

I mean, something comparable to:


(for CentOS 7 iso files).


More information about the OpenStack-dev mailing list