On Mo, 2018-06-25 at 16:14 -0700, Alice Wonder wrote: > As a packager github is a fracking nightmare. > > Frequently what we do is include a hash of the release tarball in our > build and require that it matches so that people rebuilding our > package (e.g. to add a patch they need) don't have to trust us, they > can use our build spec file but fetch the upstream source themselves, > and the hash matches lets them know that what they fetched from > upstream is identical to what the initial packager used. > > But with github getting the url to the actual download is tricky and > often breaks and also I've seen the hash from the release tarball on > github differ from the hash the release tarball on the project site > numerous times.
Well, with git the url is repository URL+hash. A tarball not necessarily bring rebuildability. I have seen different projects replacing tarballs without changing version numbers etc. Anyways those are details to be discussed outside this specific thread. My point is that PECL is in a bad state from usability, both for extension authors as well as users and I think a "PHP 8" headline might be a good time to redefine this. But this needs work (and I also directly say that I can't promise much time myself) so if others share the pain and want to solve/improve this, I'd be happy to help coordinating this. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
