On Fri, Jun 26, 2015 at 10:19 AM, Burton, Ross wrote: > > > On 26 June 2015 at 15:16, Jon Szymaniak wrote: > >> I'm open to other suggestions as well, as this was just a first stab at >> it. I've been seeing that cloning this git repo containing binary firmware >> blobs takes an absurd amount of time, if it even finishes at all >> successfully. >> > > I believe github offers hosting of "release" tarballs too, so upstream > could take advantage of that. Having verified checksums of firmware is > useful from a security point of view as you can't really inspect the > sources for it... > That's actually what I looked for first, and definitely would use that if it were available. Generally when you apply a tag or manually create a release on GitHub, and etnry under "Tags" or "Releases" is created. It will automatically provide a zip and/or tar.gz of the repo sources -- I suspect this would suffer from the same risk of changing checksums that you expressed concern over. Therefore, it would require the upstream maintainer to upload a specific .tar.gz, preferably with .sha256sum and .md5sum files. Back to the git depth point... why is "--depth 1" not the default for all cases? Could anyone elaborate on some use cases where we'd actually want the entire history for builds? - Jon