Tarballs change after release #2781
Comments
|
So if you've pulled e.g https://github.com/ansible/ansible-lint/archive/refs/tags/v6.9.1.tar.gz the checksums changed later on? And where do you get those checksums from? |
|
We fetch the tarballs from Until today the b2sum was now it's |
|
|
|
Guess we can't do much now, but I'll leave this open for the next checksum change |
|
That is indeed interesting, I wonder if that is related to one of this things:
It is easy to see when release pipeline failed by looking at https://github.com/ansible/ansible-lint/actions/workflows/release.yml and you can even check the numbers which are consecutive. If I am correct last time release failed for lint was about 7 months ago, and few days ago. Indeed this should stay open until we identify the reason and find a solution. I wonder if we can setup a webhook for spotting a tag deletion and/or move, it could prove useful. If anyone knows a system that can be used for that let me know. I use https://newreleases.io/ for lots of projects but that one would only notify when a new tag is created, which is not what we need in this case. Sadly I that checksum is not the git commit hash, so I cannot search git history to identify it. Probably we need to get our hold on two archives built from the same tag that have different checksums and investigate them. Googling on tar and changed checksum, got me on https://stackoverflow.com/questions/52668432/tar-package-has-different-checksum-for-exactly-the-same-content -- apparently lots of reasons why an archive could change as they could contain other "goodies" inside. Maybe we should ask github because they are producing these archives not us, we have zero control over their creation. |
I receive notifications for updated packages every 15 Minutes. So this could be the reason. Did the publish fail for the 6.9.1 release?
We are building a lot of pacages from github. Besides manually changed tarballs and moved tags, I'm not aware of a similar problem in a different project. |
|
@freswa Can you elaborate in "notifications for updated packages every 15 Minutes", for the ansible-lint itself? I really need to get my hands on a pair of such packages to compare them, you made me very curious and I also want help help you avoid headaches. Out of curiosity, isn't possible to monitor sdist from pypi instead of source git? I know for sure that on pypi is impossible to update a package once pushed, something that cannot be achieved with github tar archives. And no, release did not fail for v6.9.1, and what job did run can be seen on on actions tab. My suspicion is that github might decide to change there tarballs on their side based on the text of the release notes page, which can be edited even after the release. Digging on Github forum I found few threads but I am not sure it these answer our questions:
As I seen info about tar not being able to produce the same archives on different systems, I wonder if the zip archive checksum might be more stable? -- That assumes that this is caused by archival and not the effective content being changed. |
I'm using nvchecker with this configuration: It's run every 15 Minutes with |
The release tarball only changes if the commit from which it was generated changes (aka. "moving the tag") or if github decided to change their way of generating the tarball (which, given that it would break everyone, is unlikely to ever happen knocks on wood). |
|
Closing because there is nothing to track for now, we will reopen if needed. |
|
It's happened again. Here is the diff between the tarball I downloaded previously and the one I downloaded just now: |
|
oh, it includes git stuff as well when calculating, not just the code. |
|
I can confirm the report by @Toolybird. The zip file includes the |
|
Basically that needs to be raised and tracked with github, not us. If I remember, they stated clearly that they do not make any guarantees regarding checksums of archives, so basically one needs to avoid using archives if they want to check checksums. |
|
@ssbarnea So github runs python setuptools scm on your repo periodically and uploads a new tar and zip file? The behavior has been introduced with this commit, just for reference. |
|
Only when a new tag is created, basically on a release. src tar.gz is uploaded to pypi. |
|
But we clearly see that there have been two |
|
That is the idea, these archives are magically done by github not by us and anyone looking at our open source gha workflows can see that. Please note that the moment when this thread will be locked is approaching fast as it already went too spammy. There is nothing to be done on our side AFAIK. |
|
@ssbarnea have you considered implementing what's stated in one of the threads you linked?
That way it's also easier to avoid a potential supply-chain attack (provided I understood this thread correctly). |
|
Unless someone else will contribute such changes (in a way that does not make maintenance harder), this will not happen. Anyone looking for extra security should avoid using github as a source of truth and better look at pypi package and implement checksum verification. |
|
Have a look at https://github.com/slsa-framework/slsa-github-generator and https://slsa.dev/ |
Arch Linux maintainer here. We've received 7 reports so far this year, due to changed tarball checksums after a release has been pulled.
See also: https://bugs.archlinux.org/task/76747
Is this intentional?
The text was updated successfully, but these errors were encountered: