github port group

[Craig Treleaven]

At 3:05 AM -0500 4/22/12, Ryan Schmidt wrote:
>Sorry, I missed your latest comments in the ticket.
>
>On Apr 21, 2012, at 20:30, Sean Farley wrote:
>  >> I think the git.branch can be used interchangeably: it's both a 
>tag or a hash.
>>
>>  You mean having code that would look the following?
>>
>>  github.setup        williamh dotconf 1.3 v
>
>If the author is williamh, and the project name is dotconf, and the 
>version number is 1.3, and the tag prefix is v, then yes.
>
>>  github.branch       6382711e9b0060bbd0408df512e48b2ce9cdb3be #needs to
>>  be the whole hash so livecheck will work
>
>There's no such variable. Just use git.branch, same as if you 
>weren't using the github portgroup.
>
>>  Which then will use the zip / tarball download by default
>
>I didn't think github had automated downloads available except for tags.
>
>If github has automated downloads available for any tag/branch as 
>well, then we would need to verify that they always have the same 
>checksums, and are not generated on the fly. I'm pretty sure that 
>bitbucket, for example, generates them on the fly, meaning different 
>users requesting them at different times will get different 
>checksums, which means they're not suitable for use as master_sites 
>in MacPorts.


I'm no Git expert, but wouldn't git archive help us?  Git archive 
will retrieve from a remote repository and can format the result as a 
zip file.  From the man page:
       <tree-ish>
            The tree or commit to produce an archive for.

I don't know whether the checksums would always be the same.  As I 
understand Git, a commit hash uniquely identifies a particular state 
of the repository so if we specify a hash, we'll always get precisely 
the same result.  The only exception would be, I guess, if someone 
has hacked the repository.  I have no idea if that could be done 
without detection by the repository site.  I take it that is what 
we're trying to protect against?

Craig