Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please do not retag #5448

Closed
dvzrv opened this issue Feb 28, 2022 · 1 comment
Closed

Please do not retag #5448

dvzrv opened this issue Feb 28, 2022 · 1 comment

Comments

@dvzrv
Copy link

dvzrv commented Feb 28, 2022

Describe the bug
1.8.17 has been retagged because of #5446
This is bad practice and should be avoided. Please just tag a new version.

To Reproduce
Steps to reproduce the behavior:

  1. Download tarball on 2022-02-24, have b2 checksum 313b21baefdad6f2958cceabc6a96ffc4e57763c928dd760d25d26d2b2caa592ac0b7169cdcd81745252e5d51aa4170a2a01c24c1053abdda0ea207636f10930
  2. Download tarball on 2022-02-28, have b2 checksum 06236b554f8be7428c7249b0b065b5bdc96c8a876046bfaf1af022bcfbe35926daf8af120989a8385c8c5bed6e8bcae5ea4d915e4b695b3b12768c829822499c
  3. Diff different versions, have: etherpad-lite-1.8.17.log

Expected behavior
Tags always point at the same commit and are never moved.

Screenshots
n/a

Server (please complete the following information):

  • Etherpad version: 1.8.17
  • OS: Arch Linux
  • Node.js version (node --version): 17.6.0
  • npm version (npm --version): 8.5.2
  • Is the server free of plugins: yes

Desktop (please complete the following information):

  • OS: n/a
  • Browser n/a
  • Version n/a

Smartphone (please complete the following information):

  • Device: n/a
  • OS: n/a
  • Browser n/a
  • Version n/a

Additional context
Retagging a version breaks downstream (reproducible) builds, that rely on checksums of tarballs.
Additionally, moving a tag implies that the sources have changed which may be the sign of a supply chain attack. This behavior diminishes trust of downstreams in upstreams (you). Downstreams have to spend time on trying to find out what went wrong and write a ticket.
@rhansen
Copy link
Member

rhansen commented Mar 1, 2022

Thanks for the report, I'll keep the tags stable in the future.

@rhansen rhansen closed this as completed Mar 1, 2022
archlinux-github pushed a commit to archlinux/aur that referenced this issue Jul 31, 2022
@dvzrv
Rebuild because upstream retagged 1.8.17
85d980b 
PKGBUILD:
Upstream retagged 1.8.17 due to changes to the CI setup, which changes
the contents and checksums of the tarballs:
ether/etherpad-lite#5448
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dvzrv @rhansen