On Tue, Mar 14, 2023 at 10:14:33AM +0000, Daniel P. Berrangé wrote:
On Tue, Mar 14, 2023 at 06:12:33AM -0400, Andrea Bolognani wrote:
On Tue, Mar 14, 2023 at 10:36:56AM +0100, Peter Krempa wrote:
The sources for new libvirt-ocaml releases are hosted via gitlab. Add the link. Since old releases are not present there preserve also the old link. ... * - OCaml - - `libvirt <https://download.libvirt.org/ocaml/>`__ + - `gitlab <https://gitlab.com/libvirt/libvirt-ocaml/-/tags>`__ + `libvirt (old versions) <https://download.libvirt.org/ocaml/>`__
Is the fact that no tarballs have been uploaded for the last few releases intentional, or an oversight?
While I see tags for those releases in GitLab, in general git tags are not a replacement for proper release tarballs, which I'm not seeing anywhere on GitLab.
Indeed, as was seen recently with github, the auto-generated tarballs can change when the backend impl changes, which invalidate any hashes vendors are using to validate tarballs. It is unwise to rely on the auto-generated tarballs as the canonical release artifacts
Not only that: you also miss all the stuff generated during the dist step, so the forge-generated tarballs are going to be unusable or at the very least require additional steps on the user's part. Plus no PGP signatures, which libvirt-ocaml seems to have finally started using recently. -- Andrea Bolognani / Red Hat / Virtualization