Skip to content

Release archives don't contain all sources

It was brought to my attention semi-recently that the signed osinfo-db releases archives available at https://releases.pagure.org/libosinfo/ do not contain the raw source files as present in this git repository, but rather the output of their "compilation". The main difference seems to be that the files contained in the release archives have l10n data embedded into them, whereas in the git repository l10n information is stored separately, to be merged at build time; another difference is that the build scripts, as well as the test suite are missing from release archives.

This leads to Debian ignoring the release archives completely and grabbing the contents from git directly instead, as explained in the merge request which got me interested in the topic in the first place; Fedora, for example, takes the opposite approach and its build process basically consists in unpacking the release archive and shipping the contents as-is.

I consider both approaches to be suboptimal: Debian is building from source which, among other things, means the test suite gets to run at package build time, but at the same time this means Debian's .orig.tar.xz doesn't match upstream and the PGP signature doesn't apply; Fedora, on the other hand, can use upstream artifacts and verify upstream's PGP signature but doesn't get to run the test suite.

Thinking further about this, I'm not entirely convinced the existing release archives fully comply with the GNU GPL: while the contents are human-readable and editable, I don't think they can be considered the preferred form of modification. As a thought experiment, consider how awkward the simple act of backporting a change through cherry-picking from upstream would when using the current release archives as base...

I'd like the current release strategy to be reconsidered, and suggest that proper signed release archives containing sources, along with build and test scripts, should be created going forward.

Please don't hesitate to correct me if I've gotten any of the above wrong!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information