On Fri, Jun 26, 2015 at 10:19 AM, Burton, Ross <ross.burton@intel.com> wrote:

On 26 June 2015 at 15:16, Jon Szymaniak <jon.szymaniak@gmail.com> wrote:
I'm open to other suggestions as well, as this was just a first stab at it. I've been seeing that cloning this git repo containing binary firmware blobs takes an absurd amount of time, if it even finishes at all successfully.

I believe github offers hosting of "release" tarballs too, so upstream could take advantage of that. Having verified checksums of firmware is useful from a security point of view as you can't really inspect the sources for it...

That's actually what I looked for first, and definitely would use that if it were available.

Generally when you apply a tag or manually create a release on GitHub, and etnry under "Tags" or "Releases" is created. It will automatically provide a zip and/or tar.gz of the repo sources -- I suspect this would suffer from the same risk of changing checksums that you expressed concern over. Therefore, it would require the upstream maintainer to upload a specific .tar.gz, preferably with .sha256sum and .md5sum files.

Back to the git depth point... why is "--depth 1" not the default for all cases? Could anyone elaborate on some use cases where we'd actually want the entire history for builds?

- Jon