Release tarball for v0.6.4 has changed recently

[0mp]

Hi there! I'm the maintainer of the scli package in FreeBSD. Yesterday I got a report from the FreeBSD community that the source tarball (https://codeload.github.com/isamert/scli/tar.gz/v0.6.4?dummy=/isamert-scli-v0.6.4_GH0.tar.gz) has changed its hash:

Old hash (https://cgit.freebsd.org/ports/tree/net-im/scli/distinfo):

TIMESTAMP = 1625735833
SHA256 (isamert-scli-v0.6.4_GH0.tar.gz) = 867e45b10cd9ae0acff99c14c3570d95f54a5c9ca770d786e1e5689c8158ff3f
SIZE (isamert-scli-v0.6.4_GH0.tar.gz) = 139743

New hash:

TIMESTAMP = 1633504159
SHA256 (isamert-scli-v0.6.4_GH0.tar.gz) = 350f2cd34e4b4fcd1a0f0968dc31e35736910fa07488b2faff8da286eeab3e8a
SIZE (isamert-scli-v0.6.4_GH0.tar.gz) = 139732

I wonder if that's the result of some actions performed by the scli developers (like rewriting the commit history or tagging a different commit with tag v0.6.4) or is that some GitHub infrastructure issue.

Thanks!

Details:

• Original bug report: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258955
• Overview of the scli package in FreeBSD: https://www.freshports.org/net-im/scli
• scli in the FreeBSD Ports repository: https://cgit.freebsd.org/ports/tree/net-im/scli

[exquo]

Thanks for letting us know!

There have been no modifications to the source code of the latest release, or to the git history.
(This can be verified if you had a git clone of the repo: a forced push would have been seen on the next pull. Otherwise - not sure.. Maybe an archived copy of scli can be found somewhere..)

The "Source code" files in GitHub's release assets are generated dynamically. The resulting files may differ slightly depending on the version of git, tar and gzip used by the GitHub servers at the time of download.
Apparently, this issue has bitten many projects before: see this answer on Security SE.

Verifying the authenticity of the files is important, so let us know if we can help mitigate this in the future. According to the answer linked above:

The best way to get verifiable source dumps from GitHub is to clone the repository and check out the commit hash associated with the tag.

Maybe FreshPorts could fetch the source with git rather than download the release .tar.gz assets?

[0mp]

There have been no modifications to the source code of the latest release, or to the git history. (This can be verified if you had a git clone of the repo: a forced push would have been seen on the next pull. Otherwise - not sure.. Maybe an archived copy of scli can be found somewhere..)

Thanks! I've compared the tagged commit from the repo with the tarball and they are the same (modulo the VERSION file).

The "Source code" files in GitHub's release assets are generated dynamically. The resulting files may differ slightly depending on the version of git, tar and gzip used by the GitHub servers at the time of download. Apparently, this issue has bitten many projects before: see this answer on Security SE.

Verifying the authenticity of the files is important, so let us know if we can help mitigate this in the future. According to the answer linked above:

The best way to get verifiable source dumps from GitHub is to clone the repository and check out the commit hash associated with the tag.

Maybe FreshPorts could fetch the source with git rather than download the release .tar.gz assets?

The tarballs are the easiest to work with. Tarball rerolls happen from time to time in the wild. I guess there is no need to modify this workflow :)

Note: FreshPorts is just a web UI to view the FreeBSD Ports Collection. The relationship between the two can be a bit confusing at times.

In the meantime, I've updated the hashes in the FreeBSD port so FreeBSD users are going to be able to see scli package in the repos soon.

Thanks again for your help!

[exquo]

Sure thing!

The tarballs are the easiest to work with. Tarball rerolls happen from time to time in the wild. I guess there is no need to modify this workflow :)

Makes sense. The changes to GitHub's internal tools (that affect the tarballs) probably happen rarely enough to make the manual hashes updates the simplest option.

Note: FreshPorts is just a web UI to view the FreeBSD Ports Collection. The relationship between the two can be a bit confusing at times.

Gotcha! I guess I meant "BSD ports".