On Wed, 24 Aug 2011 07:23:30 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
On Wed, Aug 24, 2011 at 08:45:20AM -0400, James Laska wrote:
< Location: https://raw.github.com/dougsland/nagios-plugins-rhev/master/nagios-plugins-r...
Side comment to your main issue: How is this tarball being generated? I see in the review request that the md5sum of the file at that URL has changed over time. If it's just the upstream not officially releasing this tarball until the Fedora RPM is out and therefore making changes to the tarball to address review criteria it's not standard practice but okay. If the tarball is going to continue to evolve with this same name after the Fedora RPM is reviewed, then it's probably better to generate a git snapshot.
The aim is to make things reproducible. If we can't count on getting the same tarball once the rpm is built, we'd rather have instructions on making a snapshot that has a revision id that we can count on pulling to get the same set of files at a later date.
I've done a few reviews on github packages. Even if you download a stable tag tarball from the project in github (which in theory should be equivalent to using a stable release tarball), it turns out that the checksums might not match a few days after.
I think github caches the tarballs it generates for a few days, so if you grab the same tarball repeatedly, you'll get the same md5sum. If you wait a longer time, you will get a different result. But even though the md5sums won't match, the contents will still be the same.