[aur-general] Auto-generated Github tarballs format change (Was: TU Application: Daniel M. Capella)

Bruno Pagani bruno.n.pagani at gmail.com
Thu Nov 15 10:01:38 UTC 2018

Le 15/11/2018 à 10:52, Baptiste Jonglez a écrit :
> On 15-11-18, Eli Schwartz via aur-general wrote:
>> On 11/14/18 11:50 PM, Daniel M. Capella via aur-general wrote:
>>> Quoting Levente Polyak via aur-general (2018-11-14 17:00:38)
>>>> - tests are awesome <3 run them whenever possible! more is better!
>>>>   pulling sources from github is favorable when you get free tests
>>>>   and sometimes manpages/docs
>>> Will work with the upstreams to distribute these. I prefer to use published
>>> offerings as they are what the authors intend to be used. GitHub autogenerated
>>> tarballs are also subject to change:
>>> https://marc.info/?l=openbsd-ports&m=151973450514279&w=2
>> I've seen the occasional *claim* that this happens, but I've yet to see
>> any actual case where this happens and it isn't because of upstream
>> force-pushing a tag.
> See https://bugs.archlinux.org/task/60382 for an example.
> I still had the old archive around so I spent some time comparing it with
> the new one:
> - I compared the checksum of each individual file in the archives, and
>   they were all identical
> - I compared the raw tar files after decompressing, and there were just a
>   few bytes that were moved around
> This really suggests a slight format change in the way the tarball was
> generated (could be file ordering).
> If you want to double check, here they are:
> - old archive from May 2017: https://files.polyno.me/arch/kashmir-20150805-20170525.tar.gz
> - new archive: https://files.polyno.me/arch/kashmir-20150805.tar.gz
> Baptiste

But those are not tag tarballs though.

That being said, yes, the tarball format changed once in the past, on
purpose, so that it could actually be reproducible and allow things like
the “alternative local workflow” of https://wiki.debian.org/Creating
signed GitHub releases. I can’t remember when that happened, but per
this page that was prior to April 2016. And AFAIK, it is not subject to
change again for this exact reason. ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20181115/09ebbd47/attachment.asc>

More information about the aur-general mailing list