[indiana-discuss] [Fwd: [desktop-discuss] SFE binary packages for OpenSolaris]
Stephen Hahn
sch at sun.com
Mon Dec 17 09:13:26 PST 2007
* Martin Man <Martin.Man at sun.com> [2007-12-17 14:12]:
> Bart Smaalders wrote:
> >
> >You're missing the point. ON developers don't build from source
> >packages; they'll build from a mercurial workspace. Why would
> >anyone who's not working on ON compile it from source, and why
> >should the OpenSolaris community spend the man years needed to
> >support this?
>
> Because if you want to make a bug fix for urgent security bug in a
> software two years old, it is easier to compile from source package
> while adding the .diff, than to search for the right
> gate/tag/date/whatever in SCM to obtain the sources...
Easier: maybe, maybe not.
> and you are never sure that you actually found the right source that
> was used to do this build...
For Mercurial: false. (For Subversion: maybe.) Changeset hashes
will be encoded into the package--you will know that you have the
exact source. Unless you've got the hash from the tar archive from
the past, you cannot reach an equivalent level of assurance.
- Stephen
--
sch at sun.com http://blogs.sun.com/sch/
More information about the indiana-discuss
mailing list