Justin Erenkrantz <justin@erenkrantz.com> writes:
> > I reiterate the veto I made to introducing code to use svn export to
> > fetch dependencies in the past. The dependencies must be verified as
> > valid releases. I don't see anyway to do that with export. Tarballs
> > have PGP/GPG signatures that can be validated. I leave it up to the
> > individual projects to be sure that however they got their code they put
> > in their tarball is valid. If they want to trust their repo that's up
> > to them. But I really think we should only be using released tarballs
> > for dependencies.
>
> I'm concerned that this adds an extra step that may not always be
> needed. I'd be fine with saying that official releases must use
> extracted tarballs, but I think that there are legitimate times
> (i.e. for non-official releases) where fetching the dependencies via
> svn export is fine. Therefore, to make it easier to produce those
> types of releases, I think the export calls should stay. Note that
> using 'svn export' isn't the default - using the local files is. --
> justin
[I realize this may be asking you to repeat stuff you've already said
in IRC.]
Are such releases made often, and for purposes that we want to
support? In general, I agree that we should be using released
tarballs only for our own releases (sounds like no one disagrees on
that point).
I don't feel like having the export code in there is a huge deal
either way, but I'd like to understand the justification better.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Apr 2 23:12:56 2005