[oss-devel] oss source tarball name

Dev Mazumdar dev at opensound.com
Thu Jan 17 22:36:17 EET 2008 

Cristi Magherusan wrote:
> On Thu, 2008-01-17 at 19:28 +0200, Yair K. wrote:
>> On Thursday 17 January 2008 18:37:19 Dev Mazumdar wrote:
>>> Hi,
>>>
>>> While I agree with this, how do we specify the build id in the package
>>> name?
>>>
>>> We can guarantee that whatever is in the stable/$LICENSE is always the
>>> latest - you will only find ONE bz2 file there.
>>>
>>> The other option is we rename as follows:
>>> sources/stable/oss-4.0-stable-<license>.tar.bz2
>>> But you never know what version this file is.
>>>
>>>
>>> Yet another option is that we have a symlink:
>>> LATEST -> oss-4.0-<buildid>-<license>-tar.bz2
>>> Then you pull down LATEST using wget or whatever.
>>>
>> The latter option sounds simplest. Two other thing I'd suggest:
>>    1) Having the newest version already in attic/ . That way, there's already 
>> a stable link if a package system is interested in that particular build.
>>    2) Having a checksum on the server for the source tarballs (LATEST.sha?). 
>> The recent SquirrelMail vulnerability[1] shows that the source poisoning 
>> method is used in the wild. (Yes, an attacker will change the checksum on the 
>> affected server, but a user can verify against a checksum from a different 
>> mirror from the one downloading LATEST). I'm no expert at this, but MD5 
>> sounds like it's about to be broken for verification, so I'd suggest using a 
>> SHA-based method.
>>
>> [1] 
>> http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw
>>
>> Yours,
>> 	Yair K.
> 
> Hello,
> 
> As a gentoo ebuild maintainer, I think that for us the easier way would
> be to keep the versioning scheme, and have all the files in the same dir
> so that it will be be easier to maintain older versions without changing
> the ebuilds. The versioning scheme would be irrelevant, if it is
> monotonic and consistent in time.
> 
> If you feel like having each license in another dir, I don't mind. Also,
> the LATEST symlink would be irrelevant for us because we use MD5 and SHA
> hashes that must be re-generated for each new version.
>  
> The most important is that different versions shouldn't have the same
> name, but instead increase the version number if the file/hash was
> changed.
> 
> Best regards,
> 
> Cristi 
> 
 > _______________________________________________
 > oss-devel mailing list
 > oss-devel at mailman.opensound.com
 > http://mailman.opensound.com/mailman/listinfo/oss-devel
 >


Hi,


Another idea is that we separate all the distros according to license - 
so stuff from the attic will be moved to the appropriate license 
directory and in each directory we have:

LATEST-IS-BUILD1013 -> oss-v4.0-build1012-gpl.tar.bz2


Take a look now.


regards
Dev Mazumdar

-----------------------------------------------------------
4Front Technologies
4035 Lafayette Place, Unit F, Culver City, CA 90232, USA.
Tel: (310) 202 8530		URL: www.opensound.com
Fax: (310) 202 0496 		Email: info at opensound.com
-----------------------------------------------------------

More information about the oss-devel mailing list