Open dvzrv opened 4 years ago
@dvzrv you could use
pkgbase=vst3sdk
# find latest version: curl -I https://www.steinberg.net/vst3sdk | grep -i location
_fullver=3.7.5_build-44_2022-05-19
pkgver=${_fullver%%_*}
source=("$pkgbase-$pkgver.zip::https://download.steinberg.net/sdk_downloads/vst-sdk_$_fullver.zip")
then drop everything except vst3sdk
prepare() {
# remove unnecessary files
rm -r VST_SDK/{copy*,my_plugins,vst2sdk,VST3_Project_Generator,vst3sdk/bin}
}
Alternatively, the individual submodules all use the same release tags, except vstgui4 which has its own versioning.
At least hide the Releases and Packages about tabs in the repo main page, those tarballs are mostly empty and completely useless, so also confusing for people visiting here.
Hi! As I'm currently attempting to package vst3sdk for Arch Linux, I am faced with the dilemma of not being able to do proper source verification (apart from having issues with the versioning as mentioned in #64).
Background: Distributions usually fend off supply chain attacks by verifying the sources used to build the packages provided in official repositories. This is usually done by source tarball verification based on file checksums (either by TOFU or by using upstream provided checksums). Github auto-generates tarballs for tags. However, these tarballs do not contain submodules, which is why upstreams facilitating submodules either offer aggregated source tarballs (containing all the submodules) that are uploaded as release assets, or take further measures to offer source verification (e.g. PGP signed commits and tags). While I for one could make use of signed tags and commits, this is probably nothing that all distributions are able to use (either due to policy or technical setup) - the best way is still to create an aggregated source tarball.
I can offer to do a pull request with a similar implementation as done for supercollider and various others for creating aggregated source tarballs for the releases in this repository, if you are interested.
As is, I can not do a satisfactory source verification for packaging and I know that for other distributions this will also be a show stopper (as some have more strict rules about how source verification has to be done).