Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.61.0 release tarball changed? #1001

Closed
Jehops opened this issue Jul 5, 2021 · 3 comments · Fixed by #1002
Closed

1.61.0 release tarball changed? #1001

Jehops opened this issue Jul 5, 2021 · 3 comments · Fixed by #1002
Labels

Comments

@Jehops
Copy link

@Jehops Jehops commented Jul 5, 2021

FreeBSD package maintainer here. Our package building system does a checksum on the release tarballs and we are now seeing a mismatch. It doesn't look like the release was re-rolled. Do you know anything about the change?

I'm told that these GitHub generated tarballs are not guaranteed to be static, although this is a first for me in years of maintaining dozens of GitHub hosted packages.

fetch: https://codeload.github.com/digitalocean/doctl/tar.gz/v1.61.0?dummy=/digitalocean-doctl-v1.61.0_GH0.tar.gz: size unknown
fetch: https://codeload.github.com/digitalocean/doctl/tar.gz/v1.61.0?dummy=/digitalocean-doctl-v1.61.0_GH0.tar.gz: size of remote file is not known
digitalocean-doctl-v1.61.0_GH0.tar.gz                 5078 kB 5605 kBps    01s
=> Fetched file size mismatch (expected 5200371, actual 5200375)
@Jehops Jehops added the bug label Jul 5, 2021
@andrewsomething
Copy link
Member

@andrewsomething andrewsomething commented Jul 6, 2021

Hi @Jehops. Thanks for maintaining the FreeBSD package! This does seem odd.

We build and upload the binary tarballs using goreleaser and we include the SHA256 checksums for them as part of the release.. The source tarballs are generated by GitHub automatically. We don't keep a record of what the checksum for those are at release.

What was the original checksum you recorded?

@Jehops
Copy link
Author

@Jehops Jehops commented Jul 6, 2021

Hi @andrewsomething. My pleasure.

That the GitHub automatically generated tarballs can change is odd and unfortunate, but described elsewhere.

The original SHA256 was 5334fb1d2c169064d2a7584186bc4b3c48952e8af0a139447e890e204531356e. It's now 571ae4f408a267d9824b56b5ed43604c867be951c09d8fd9b2b0db7cb4635078.

@andrewsomething
Copy link
Member

@andrewsomething andrewsomething commented Jul 6, 2021

Looks like it should be pretty trivial for us to start including our own source archive as part of the release process:

https://goreleaser.com/customization/source/

That should at least prevent this in the future.

freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this issue Jul 6, 2021
freebsd-git pushed a commit to freebsd/freebsd-ports that referenced this issue Jul 8, 2021
See digitalocean/doctl#1001

Upstream will now provide immutable source tarballs.

(cherry picked from commit 2924196)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants