Re: [PATCH 4/6] docs: downloads: Change sources link for libvirt-ocaml

On Tue, Mar 14, 2023 at 06:12:33AM -0400, Andrea Bolognani wrote: > On Tue, Mar 14, 2023 at 10:36:56AM +0100, Peter Krempa wrote: > > The sources for new libvirt-ocaml releases are hosted via gitlab. Add > > the link. Since old releases are not present there preserve also the old > > link. > ... > > * - OCaml > > - - `libvirt <https://download.libvirt.org/ocaml/>`__ > > + - `gitlab <https://gitlab.com/libvirt/libvirt-ocaml/-/tags>`__ > > + `libvirt (old versions) <https://download.libvirt.org/ocaml/>`__ > > Is the fact that no tarballs have been uploaded for the last few > releases intentional, or an oversight? > > While I see tags for those releases in GitLab, in general git tags > are not a replacement for proper release tarballs, which I'm not > seeing anywhere on GitLab. Indeed, as was seen recently with github, the auto-generated tarballs can change when the backend impl changes, which invalidate any hashes vendors are using to validate tarballs. It is unwise to rely on the auto-generated tarballs as the canonical release artifacts