Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

source tarball asset #65

Open
dvzrv opened this issue Sep 22, 2020 · 2 comments
Open

source tarball asset #65

dvzrv opened this issue Sep 22, 2020 · 2 comments

Comments

@dvzrv
Copy link

dvzrv commented Sep 22, 2020

Hi! As I'm currently attempting to package vst3sdk for Arch Linux, I am faced with the dilemma of not being able to do proper source verification (apart from having issues with the versioning as mentioned in #64).

Background:
Distributions usually fend off supply chain attacks by verifying the sources used to build the packages provided in official repositories.
This is usually done by source tarball verification based on file checksums (either by TOFU or by using upstream provided checksums).
Github auto-generates tarballs for tags. However, these tarballs do not contain submodules, which is why upstreams facilitating submodules either offer aggregated source tarballs (containing all the submodules) that are uploaded as release assets, or take further measures to offer source verification (e.g. PGP signed commits and tags). While I for one could make use of signed tags and commits, this is probably nothing that all distributions are able to use (either due to policy or technical setup) - the best way is still to create an aggregated source tarball.

I can offer to do a pull request with a similar implementation as done for supercollider and various others for creating aggregated source tarballs for the releases in this repository, if you are interested.

As is, I can not do a satisfactory source verification for packaging and I know that for other distributions this will also be a show stopper (as some have more strict rules about how source verification has to be done).
@falkTX falkTX mentioned this issue Jul 12, 2021
Closed
@cbix
Copy link

cbix commented Jul 5, 2022

@dvzrv you could use

pkgbase=vst3sdk
# find latest version: curl -I https://www.steinberg.net/vst3sdk | grep -i location
_fullver=3.7.5_build-44_2022-05-19
pkgver=${_fullver%%_*}
source=("$pkgbase-$pkgver.zip::https://download.steinberg.net/sdk_downloads/vst-sdk_$_fullver.zip")

then drop everything except vst3sdk

prepare() {
  # remove unnecessary files
  rm -r VST_SDK/{copy*,my_plugins,vst2sdk,VST3_Project_Generator,vst3sdk/bin}
}

Alternatively, the individual submodules all use the same release tags, except vstgui4 which has its own versioning.

@redtide
Copy link

redtide commented Mar 29, 2023

At least hide the Releases and Packages about tabs in the repo main page, those tarballs are mostly empty and completely useless, so also confusing for people visiting here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvzrv @redtide @cbix