So, there’s two things a tarball provides:

– A single file to download instead of “git clone –depth 1″, and making sure a git server is running on the other side to begin with, and that git is available locally. Sure, “git dist” comes handy addressing that. And Fedora recently switched to being able to build packages out of “git dist” tarballs instead of “make dist” ones.

– “make dist” tarballs have some generated files that supposedly need a few more advanced tools than your users care to keep around. This is a really huge advantage if you have ever tried to build software on exotic or simply old systems. Say, on your hosting provider’s Linus system. The difference is huge: it’s like having to build vala first (and all its dependencies of course) or not have to, if you just want to compile a simple vala-based project.

So, I’ve not lost all hope in tarballs just yet. But you do have a point.

behdad

PS. Enjoy GUADEC.

The point of tarballs – or archives for that matter – is because distro build systems usually do not allow outgoing network connections. Nor would it make sense to always redownload the repository on every build – the openSUSE BS starts one for each PRP (distro,arch) tuple.

While you might argue that distributions packaging your software independently would lead to less chance of malware being inadvertently included, I would counter that they’d be even less inclined to scrutinise tarballs, having been burdened with packaging tarballs for each and every piece of software–something that they currently need not do. The developer Spudd86 linked to the blog of is a prime example of packagers who definitely do not need an extra burden–a workaholic and I gauge holding a large part of Gentoo together, suffering health problems but, due to the sheer amount of work and the fundamental nature of some aspects thereof, essential for the project (and us, as Gentoo users, of course).

Furthermore, the chance of any individual user of a compromised package finding out about said compromise and thus being able to uncompromise their machine would be lower with the tarball being used by fewer people–after all, we would have many unique tarballs, all differing in their lineage (from repository to user) and hashes. In the situation of one, single tarball being packaged upstream and then checked and signed by each and every distribution, as is now the status quo, a single user finding their tarball containing malware would enable distributions and news websites to post comprehensive warnings for users to clean and upgrade to a non-compromised version of the software concerned. This was the case with a programme not long back, though my news reader appears to have deleted it now, so you’ll have to trust me on that. :P

You might argue that you, being the author of the programme concerned, do not wish to expend further effort through packaging and that you have no ethical obligation to do so in place of distributions. That could be the case–though I do not profess to have thought through that possibility enough to say with any certainty one way or the other. However, it would seem consistent to follow from the general FOSS ethos and philosophy that doing a little extra–that is, building, hosting and distributing source tarballs–is doing a little extra good through which a relatively little effort is expended in favour of reducing the overall work needed by all involved, developers, distributions and users alike. I don’t mean to presume your stance, just a little independent aside.

Also it’s not really nice to make more work for packagers in general, they’re overworked already…

Tarballs are the canonical way to distribute software. Please don’t stop releasing them. If you worry about bandwidth, host them on http://ftp.gnome.org. There’s no problem with that.

@jpobst: did the packagers say why this wasn’t good enough?

Running make dist for gnome packages usually requires more packages than a regular install. gtk-doc, autoconf, automake, ${VCS}, etc.

Like Dodji said, tarballs are good for releases and setting things in stone. Once a release is done and the tarball is up, you don’t need to think about it anymore and you should modify them.

If you’re really worried about bandwidth cost, why not host your tarballs on http://ftp.gnome.org or sourceforge? It’s their job to provide such services for the OSS communities.

But do realize that a lot of distros do rely on tarballs for their own packages, for both convenience and security reasons.

Cheers