archives changing hash at every commit #69
Comments
|
just another pic that may help you understand the problem |
|
Referring to the above image, this is the fundamental issue - if a packager configures a build system to use the c816514 archive (tar.gz) when c816514 is the HEAD commit, the packager may compute a checksum (eg. sha256) to ensure the integrity of the package download. The computed sha256 checksum of the c816514 tar.gz archive while HEAD == c816514 is 2aff1615e7f298210e4bc3342b3472ed0cab275b91bc0f3ba7c062ce2958be6a. Eventually, another commit will be added to this repo, resulting in c816514 no longer being the HEAD commit. Subsequently anyone downloading the c816514 archive from github will now download a new tar.gz that does not have the previously computed checksum because Consequently, it will not be possible to verify the integrity of the new archive tar.gz, even though the rev hasn't changed... Unless there's a really important reason why Thanks for your understanding. |
|
I've also reported this upstream as that may be more appropriate. |
|
This issue has been addressed upstream, brimworks/lua-zlib#44 - the latest pull from https://github.com/brimworks/lua-zlib will fix the issue in this repo. |
Due https://github.com/libretro/mame/blob/master/3rdparty/lua-zlib/.gitattributes the archives (for example) https://github.com/libretro/mame/archive/c816514.tar.gz change their hash after an additional commit.
That line https://github.com/libretro/mame/blob/master/3rdparty/lua-zlib/lua_zlib.c#L395 get changed. This results that you can't use untagged releases (last one is from 2016) if you check and compare the hashes from the downloaded file as the static url changing their hash at every commit to master.
an older downloaded version compared with an download from yesterday of that commit https://github.com/libretro/mame/archive/3f5b1456.tar.gz
The text was updated successfully, but these errors were encountered: