On 04/04/2023 09:36, Kalev Lember wrote:
That's not exactly true. Yes, non-packagers can't upload files to the lookaside cache, but they can update the 'sources' and '.gitignore' files in git.
GitHub has stated[1] that they no longer guarantee hash stability between archive downloads.
We discussed this issue at #devel:fedoraproject.org[2] and everyone agreed that tarball format is not reproducible.
Thus, when the maintainer downloads the tarball using spectool, the hashes will not match.
[1]: https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/ [2]: https://matrix.to/#/!lbPXqyjXDnvnfogGYA:matrix.org/$Flv-5iRWTWeG9XYbH3p0jfuyTSpLcHfVeosK4QqKAiA
-- Sincerely, Vitaly Zaitsev (vit...@easycoding.org) _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
