[mythtv] Found a severe decoding bug in mythffplay
Raymond Wagner
raymond at wagnerrp.com
Sun May 6 20:19:48 UTC 2012
On 5/6/2012 15:59, Craig Treleaven wrote:
> At 1:42 AM -0400 5/5/12, Michael T. Dean wrote:
>> Yeah, I don't think it's worth doing nightly tarballs or anything.
>>
>> Then again, I'd love to just remove the tarballs from our website and
>> let users/packagers either clone the repo with git or use github
>> tarball links.
>>
>
> Mike, I was looking at packaging Myth for OS X via MacPorts. The folks
> there are strongly biased against pulling from version control systems
> because:
> -security. Verifying checksums on a tarball gives quite strong
> assurance that no malicious changes have been introduced since the
> packager looked at it.
> -repeatability. More chance that the user's install will succeed and
> function as intended.
> -availability. Tarballs can be mirrored on their site to increase
> availability (and a recent email from Stuart Morgan indicates this is a
> non-trivial problem with GitHub).
So I still don't see how the Github tarball links fail to meet any of
those requirements. In case you're unaware, you can pull a tarball for
any SHA1 hash, and not simply tags and branch heads. While the tarballs
are only cached by Github for a brief period, and auto-generated
otherwise, their checksums are consistent.
More information about the mythtv-dev
mailing list