Source code releases are missing the fcgi submodule

[droark]

Hello. A user PMed me and asked me to help them troubleshoot a compilation issue on macOS. It turns out that they were downloading ZIP files, which are missing the fcgi submodule. This appears to be a well-known GitHub bug that may never be fixed. The workaround is to put the source code up on the releases page, which I believe allows maintainers to control what gets uploaded as source. It turns out that the .zip and .tar.gz files on the releases page are also missing the fcgi submodule. This needs to be fixed. A quick Google search seems to indicate that maintainers can use a simple script to recursively download all submodules and then zip/tarball everything.

Thanks!

[goatpig]

I've been pushing signed source since 0.96.2:

https://github.com/goatpig/BitcoinArmory/releases/download/v0.96.3.99/armory_0.96.3.99_src.tar.gz

That guy has no idea what he is doing therefor has no business building from a tarball. He should pull the signed tags and build from that. It is evident the github packaged source is useless: even if it carried the proper code (which it doesn't cause of git submodule shenanigans), the auto packaged source tarball IS NOT SIGNED. Github could shove anything they want in there. If he was checking sigs, he would have noticed that immediately.

[droark]

Ahhh, I think I see the problem. On the releases page, you see a bunch of files, along with "Source code (zip)" and "Source code (tar.gz)"). It's the source links that are bad. Your signed file, which appears to be complete, can be missed if somebody doesn't know what to download. If there's any way to include a note with the releases, it wouldn't hurt to mention that your signed file is the one people should get, and maybe in the README too. Annoying, I know, but GH doesn't seem too inclined to make this easy. :/

Anyway, I'll update some documentation and PR it. Thanks.

[goatpig]

If there was a way to get rid of the auto github source, I'd like to know. It is still telling when someone grabs these files, tries to build and realize they don't work. Git submodules may be a blessing in disguise for these people, as they obviously did not check signatures on the tarball (there is none).