On Thu, 10 May 2018 15:10:00 +0200
Nicolas Goaziou <mail@nicolasgoaziou.fr> wrote:

> Hello,
> 
> Eric Bavier <ericbavier@centurylink.net> writes:
> 
> >> +       (uri (string-append
> >> +             "https://github.com/jmoenig/Snap--Build-Your-Own-Blocks/archive/"
> >> +             version ".tar.gz"))  
> >
> > I think we're trying to stay away from Github's auto-generated tarballs
> > now, because they are not guaranteed to remain the same over time.
> >
> > Unfortunately this project doesn't seem to upload its own release
> > tarballs.  I would instead use a git checkout.  
> 
> Version is a tag, therefore a commit, so I would think it should remain
> identical over time. Besides a number of packages use this (e.g.,
> audacity...)

It's worse than that.  See e.g.
https://marc.info/?l=openbsd-ports&m=151973450514279&w=2

Many other packages use it because the issue was only brought to light
more recently.

> 
> Granted, I'm not well-versed in Github technology. Yet, using a git
> checkout slightly complicates the package, and its subsequent updates,
> so I'd rather only use it if absolutely necessary.
> 
> WDYT?

I don't think it would make the package more difficult.  If anything I
think it could make it easier.  E.g. it wouldn't need the tar and gzip
inputs and wouldn't need to untar.

You don't need to use a git hash at all.  If the release is tagged, you
can use that in the git-reference commit.  E.g. a recent package I
made, "ghostwriter", does this.

HTH,
`~Eric