On Thu, Apr 4, 2024 at 9:52 AM Harald Sitter <sit...@kde.org> wrote: > > On Thu, Apr 4, 2024 at 3:38 PM Tobias Leupold <t...@stonemx.de> wrote: > > > > Am 04.04.24 um 13:25 schrieb Harald Sitter: > > > On Thu, Apr 4, 2024 at 12:57 PM Tobias Leupold <t...@stonemx.de> wrote: > > >> Just what comes into my mind at once. A release is not always only a git > > >> tag. > > > > > > Doesn't that make your source tarball a derived work from the source > > > in your git tag? > > > > Yes, of course! this was the point of what I wrote ... > > But then it's no longer **the** source. The source was your tag.
A lot of distributions can't really easily consume Git as a source for software for packaging, and because Git has no immutability guarantees, it's not exactly ideal as an input either. That said, some of the issues that came up with xz-utils compromise are things we can more easily mitigate. We can be more vigilant about CMake scripts and CMake modules. We should treat them at the same level as source code itself for code review if we don't already. Another thing to think about is maybe switching from xz compression to zstd compression, as the compression ratio is generally quite close to xz and decompression is significantly faster and cheaper than xz. -- 真実はいつも一つ!/ Always, there's only one truth!
