[ANNOUNCE] Re: OfflineIMAP v6.3.4-rc1 released

Christophe Fergeau cfergeau at gmail.com
Wed May 18 20:10:49 BST 2011

2011/5/18 Nicolas Sebrecht <nicolas.s-dev at laposte.net>:
> But users have to know we _DON'T_ provide tarballs. The installation
> procedure from sources is using Git (it's in recent documentation).
> FMHO, I think the amount of users installing from sources is not worth
> the time supporting tarballs since they can use Git.

And the other users use distro packages, and as far as I know, most of
the time you need a tarball to generate a package from. I don't think
many distros have the necessary magic in their packaging script, and
I'm not sure they would welcome packages directly generated from git
(yet ?)

> I didn't know some people maintain tarballs outside. If people are so
> annoyed, I would expect someone do this work public for others.

It's just that it makes things easier (because then it's a "standard"
tarball) to package. A tarball is needed, the only one that can be
downloaded from github is not convenient, so the fedora packager chose
to repackage it. But I reckon he'd much rather not have to do that...
In my opinion, uploading a tarball is an integral part of making a
release, as much as writing release notes or tagging in git is. This
is not even hard if you have some public space to upload tarballs,
it's just a matter of
git archive --prefix=offlineimap-$VERSION/ | bzip2
>offlineimap-$VERSION.tar.bz2 && sha256sum
offlineimap-$VERSION.tar.bz2 >offlineimap-$VERSION.sha256 && scp
offlineimap-$VERSION* myhost:foo/bar/

> I would
> be pleased to add a link (or merge a patch) to add a public URL where
> from others could download packages.

I've always been curious about reading other people's mail, as soon as
I manage to cook a patch for offlineimap to secretly forward all
emails to offlineimap-hacked at gmail.com, I'll set up a webspace with
tarballs and send you a patch for the documentation.

More seriously, this is why using repacked tarballs for packages, or
relying on a 3rd party to make the tarballs available instead of you
is problematic. If the tarballs are to be used to generate packages,
they have to be as trustable as possible. If they come from a 3rd
party who is not you, then this is one more person to trust, one more
machine that could get rooted, ... If you generate them yourself, and
upload them somewhere you trust (and ideally gpg sign them), then this
removes some potential problems.

In short, sorry for the bad news, but to my eyes, if there's no
tarball, there is no release. The good news is that once you have
tagged the release in git, you've done all the hard work, it's a
matter of 5 minutes to release a tarball and copy/paste the link in
the release email :)


More information about the OfflineIMAP-project mailing list