[Sugar-devel] Activity packaging problems

Jonas Smedegaard dr at jones.dk
Sat Dec 20 12:17:19 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Dec 20, 2008 at 01:30:30PM +0100, Marco Pesenti Gritti wrote:
>Hello,
>
>I listed all the problems I'm aware of, which are currently blocking
>activities packaging:
>
>http://sugarlabs.org/go/DevelopmentTeam/Activities_packaging
>
>If you are packaging activities and you run into any (non distribution
>specific) issue, please add to the list.

Please consider republishing latest 0.82.x tarballs at sugarlabs.org, so 
that distributors can refer to a single upstream location for both 
stable and development sources.

Please do not generate new tarballs from Git, but copy the already 
generated tarballs from laptop.org, to not break md5sums verifications 
used by some distros.

A nice add-on hint: Consider using the tool "pristine-tar" to embed into 
the Git repository enough data to reconstruct a binary identical tarball 
only from Git data.

Oh, and another nice add-on: Consider publishing official md5sum for 
officially released tarballs, and consider PGP-signing emails announcing 
official releases. Even without official infrastructure or policies, 
such individual efforts help minimize the possibility of broken or 
tampered sources and thus raise security a bit.


  - Jonas

P.S.

This one posted only to sugarlabs list. Feel free to forward to other 
lists if you judge it relevant...

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklNKJ8ACgkQn7DbMsAkQLhrmwCgm7wl+Gx87w6zCtUWsctuqdg1
ru0An3hqsCQKq1ACQUI4PPlgxiPOtjWe
=Mudq
-----END PGP SIGNATURE-----


More information about the Sugar-devel mailing list