cyanreg
commented
9 months ago Could you just use git tags? They're safer than a third party's code, and they're signed.
Closed diizzyy closed 5 months ago
cyanreg
commented
9 months ago Could you just use git tags? They're safer than a third party's code, and they're signed.
diizzyy
commented
9 months ago If you're referring to the "source code" packages (https://github.com/cyanreg/cyanrip/archive/refs/tags/v0.9.2.tar.gz and zip) these aren't guaranteed to be stable (see like above) over time.
For clarification, Example: https://github.com/libsndfile/libsndfile/releases/tag/1.2.2
cyanreg
commented
5 months ago I think with the recent .xz issues and everyone switching to git tags instead, this doesn't need to be open anymore.
diizzyy
commented
5 months ago Not sure what repos you're looking at but that doesn't seem to be the case for the majority but oh well...
cyanreg
commented
5 months ago If by assets you mean manually creating signed archives and manually uploading them upon release, I can do that.
diizzyy
commented
5 months ago That would be great, thanks in advance! :-)
Earlier this year GitHub announced that generated source archives are only stable for a year, this will likely cause major issues for anyone trying to package Cyanrip longterm. Please consider uploading release source code archives.
Reference: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/