[OE-core] [PATCH 4/8] logrotate: replace fedorahosted.org SRC_URI with yoctoproject.org source
Alexander Kanavin
alexander.kanavin at linux.intel.com
Mon Apr 3 09:09:52 UTC 2017
On 04/03/2017 11:30 AM, Jussi Kukkonen wrote:
> This is true, there's not that much in the repo itself to create trust.
> The major show of trust is here though:
> http://pkgs.fedoraproject.org/cgit/rpms/logrotate.git/commit/?id=9cb55142e51b82085d6c3136448c1f441454e351
> Fedora/Red Hat themselves changed to use this repo when the fedorahosted
> repos were EOL'd (see also Red Hat folks working on the github issues in
> January).
>
> If the release tarballs have been re-generated and the hashes no longer
> match, I'd still prefer modifying the recipe to use github (after
> manually diffing to make sure they are the same source release of
> course) but I can understand a differing viewpoint in this case.
>
> It would be good to mention the issue in the commit message, whichever
> way this is solved.
If github is not trustworthy, I'd say taking the tarball from Debian
should be good enough. Same applies to chkconfig - we just shouldn't
self-host these things, as that guarantees support headaches.
Alex
More information about the Openembedded-core
mailing list