-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not rebuild packages when an extra-source's url changes but not its checksum #5258
Conversation
6f22733
to
c65fb48
Compare
We might want to do this only in the presence of strong checksums, given the attacks on both md5 and sha1? The alternative would be to actually download the patch and check that it really is the same as the one used, but that's highly invasive to the code (network access before confirmation, etc.) |
I agree this is an issue but it's not specific to this change (and is much worse for the main urls or even with the new software heritage feature for instance). Could you open a separate issue to discuss it more fully? |
That's a good point - I'd forgotten that the cache already works this way |
c65fb48
to
dde9627
Compare
Updated with a test |
164a840
to
3f31f07
Compare
3f31f07
to
876b4f0
Compare
876b4f0
to
666db40
Compare
Detected in ocaml/opam-repository#22016