css checksum changed and is not installable currently #25344
Comments
|
Don't know what happened, release 0.1.0 is the same as 11 months ago: https://framagit.org/zoggy/ocaml-css/-/tags but indeed this has not the same sha512. The |
|
@zoggy I have a copy of the tarball with the correct hash: if you can upload it as release artifact and update the url in the opam file, I'd be happy to send it to you. Otherwise I can upload it on the opam-source-archives |
|
(sorry for the late answer, holidays...) I think it's better to put the tarball on the opam source archives. By the way, may be having all referenced tarballs of opam packages on this source archive repo would be better ? Is there a way to automatize this ? |
|
That is just a temporary solutions and very limited by the maximum size of repositories. From my understanding the plan is integrating opam with software heritage and then get the sources directly from there. It may be that this is happening soon let me ping @kit-ty-kate that knows more |
|
FWIW, the tarball is available as https://opam.robur.coop/cache/md5/bc/bc4bdcf47b37c7bd50bf9f31c391dcd2 |
|
Since a few years, with the work of @rjbou and myself, all packages are automatically archived by software heritage. Moreover, if the SWHID is added to the opam file, opam is also able to fetch the sources from SWH in case they are missing. The only (IIRC) thing left to do is patching the opam repository with all the SWHIDs. |
I disagree. Software Heritage is a flawed platform and should not be trusted in my opinion as long as ocaml/opam#5720 is still a problem. |
|
I tought this had been clarified. The SWHID is a form of checksum and it is checked by opam when downloading and it is thus as safe to use as a checksum: if the SWHID is the same, the content is the same. We could also make opam-repo check that the added SWHID is initially valid (as it does for checksum I guess). |
|
I have to admit, I appreciate the work on software heritage. I'd still have a better feeling if opam would always check recorded checksums. What is the price? not too much. What is the value? Well, who ensures that software heritage servers are never compromised? So, the value of locally verifying checksums is that opam can be trusted without any thoughts on software heritage, it's operations etc. |
As I'm trying to explain, it does, but here the checksum would simply be called "SWHID". You can compute it locally, check that it matches the recorded SWHID etc. |
|
The SWHID story is explained in this comment ocaml/opam#5720 (comment). To complete: As Software Heritage recompute archives from sources, it is not possible to use the original checksum that is given. That's why we rely on swhid given/generated by maintainers & checked by opam repo CI to be sure that we have the good source & opam checks it. There is no blind reliability on SWH servers. |
|
Ah, thanks Raja. I keep on forgetting about the details about swhid. |
|
Thanks @hannesm for the tarball. So hosting tarballs on opam source archive is not the perennial way to go, and SWH is not yet ready. Gitlab does not seem to offer a way to upload tarballs either, except in the repo itself (for example in the public directory, used for the web pages) but I'd like to avoid that. Any other place to upload such arhives ? |
|
To me the ideal place if the repository itself if it allows to upload static tarballs.
Otherwise I think for the time being the opam-source-archive is the best thing to use, I have not yet done it only because I did not yet have a moment to sit at my laptop. Hopefully it will happen tonight.
|
|
But it may be heavier to handle for each new release. I can live with tarballs in the repo, so don't bother, I will add tarballs to lru-cache and css repositories tomorrow and submit a patch for opam files in opam repo. |
cc @zoggy
The text was updated successfully, but these errors were encountered: