Overview
Request 1165380 accepted
Update to version 24.04.02.
This request will change the packaging from using a release tarball to generating the tarball directly from git to harden the package against supply chain attacks.
I would appreciate any feedback on this change and will leave the request open for a little bit.
Changes versus Request 1164241:
- Change tarball generation to only use obscpio and then recompress at runtime.
why have source twice (as tarball and obscpio)?
Thanks for the heads up, should I simply delete the obscpio and handle it like this package: https://build.opensuse.org/package/show/openSUSE:Factory/plymouth
I would suggest otherwise - keep obscpio - see i.e https://build.opensuse.org/package/show/network:cryptocurrencies/xmrig but tarball will work as well (see i.e https://build.opensuse.org/package/show/Base:System/thin-provisioning-tools)
Thanks for the suggestion, I have made a new request that will (hopefully) handle tarball generation better: https://build.opensuse.org/request/show/1165380
Request History
DarkWav created request
Update to version 24.04.02.
This request will change the packaging from using a release tarball to generating the tarball directly from git to harden the package against supply chain attacks.
I would appreciate any feedback on this change and will leave the request open for a little bit.
Changes versus Request 1164241:
- Change tarball generation to only use obscpio and then recompress at runtime.
pluskalm accepted request
