Greg Troxel <[email protected]> skribis: > Generally, not really, but we cope with all sorts of things when we have > to. Typically packages that need a git checkout are in the > new/not-really-baked upstream stage. > > What pkgsrc -- and I'd expect just about every other packaging system > including GNU/Linux distributions -- expects is to download a release > tarball from a URL. It is rare for that not to be available, and pretty > much unheard of for a healthy project (that is maintained, has > releases). Fibers appears healthy except for not having tarballs.
My view as a packager is that release tarballs are on the decline. In Guix, 12k packages out of 30k (38%) have their source taken from a tarball; see also figures 3 and 4 of <https://hal.science/hal-04586520v1> for the general trend. Tarballs that contain pre-built artifacts are also a bootstrapping and a security issue, as illustrated by the attack on XZ-Utils. Overall, evidence suggests that the presence or lack of release tarballs is unrelated to a project’s health. :-) Ludo’.
