On May 23, 2024, at 4:10 PM, Andrey Semashev via Boost
On 5/24/24 02:07, Marshall Clow wrote:
On May 23, 2024, at 3:50 PM, Andrey Semashev via Boost
wrote: Also, release tarballs on GitHub don't have hashsums or signatures attached.
https://github.com/boostorg/boost/issues/838 https://github.com/boostorg/boost/issues/838
As I wrote in that issue: The archives on GitHub are not official releases.
Please stop pretending/telling people that they are.
If I could remove them entirely, I would do so. But they appear to be an artifact of the tagging process.
They are not a mere artifact of tagging. They were purposely added - first, to help CMake users (CMake-targeted tarballs have a different file layout), then to fix issues with jfrog (the b2 archives are similar to those published on jfrog, but lack documentation).
Unless they’re identical to the published tarballs that we provide SHAs for, they should not be used. They’re not tested (among other things)
My understanding is that we're moving towards releases on GitHub.
That’s as may be, but we’ll deal with that then. — Marshall