New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker and docker-completion: fix revision hash #22427
docker and docker-completion: fix revision hash #22427
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are verified at build time, so if they retagged we need an explanation from upstream as to what happened in order to rule out malicious circumstances.
As you can see in the link above, the tag in this formula points to the hash I've updated to, don't know what happened there. How and who to contact upstream with this? |
Yes, this PR updates the hash to something different from what it was originally in #22174 at which time it was verified as being correct. For security we don't change the tag commit hash without an explanation. Contact info is here https://www.docker.com/company/contact |
Support request number 00037354 created at Docker. |
@andrasmaroy thanks! We'll also need to bump the formula revision here, and make the same changes for the |
to bump revisions you need to add
|
This should also affect the |
The release was done 9 days ago, but someone appears to have re-tagged this only a day ago: https://github.com/docker/docker-ce/tags |
[17.12] bump version to 17.12.0-ce
I'm not sure how the verification was done the first time, but it is pretty clear from the actual contents of the original commit sha1 that it is not the correct commit for that tag. Is there anything that can be done to prevent this sort of problem in the future? The process as-is (which seems pretty reasonable) appears to make it easier to make the mistake in the first place than it is to fix it afterwards. |
@rmg yes. Ask upstream never to retag. |
This will be taken care of by Thanks for bringing it to our attention @andrasmaroy! |
brew install --build-from-source <formula>
, where<formula>
is the name of the formula you're submitting?brew audit --strict <formula>
(after doingbrew install <formula>
)?Tag was updated in #22174 but the commit hash wasn't, updated according to the official repo.