-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Did 0.0.6 release get re-tagged? #108
Comments
nope, see this example |
This is a mystery! No re-tagging as far as we are aware. We confirmed before renaming the repository that it should not affect the formula since github redirects. But thanks for point this out, I will try and see if I can find out why it has changed. Interesting enough the GUI still says the tar.gz was uploaded Mar 27, 2023, so that means it should have been wrong all along? |
recently, we found that zrok has the similar checksum stability issue, see openziti/zrok#561 |
Okay, so I cloned a fresh repo, checked out the tag v0.0.6. I compared the two folders using
So no difference that is not expected. I do get this checksum (the same as in the PR) So I guess we can conclude that the new checksum is valid, and the explanation is that Github simply now generates a different checksum. I think we can close this issue now. |
If you dont mind, can you also report this to github to see if we can get some help on understanding the root cause? On the similar note, we (homebrew) recently, we had a bit thread on the cog checksum mismatch, which might also help. |
Sure!
Great, this might give some insight. Will look it through. |
I have filed a support ticket with Github to see if they can help understand the issue. I don't find we have the same issue as Cog had. AFAIK we don't have a I really cannot find any explanation to this. I will wait and see the response from Github Support. Unless anyone has any other suggestion of what to look into. |
@dehanj another idea, can we upload the source tarball as github asset into each release (in that way, it wont be changed at all) |
@chenrui333 This might not be a discussion that should happen in this issue, but I'm curious. What is Homebrew's official recommendation on how to provide the source code to the Formula? Since GitHub my be re-generating the tar.gz to save space, and since GitHub has never guaranteed checksum stability (even if it seems like it has been taken for granted, but actually seldomly has changed). |
yeah, it is the default source code tarball, we just took it for convenience, but if projects have release source tarball rather than the github one, we intend to use them instead of the github default.
but like what @ZhongRuoyu found in Homebrew/homebrew-core#162731 (comment), whenever the metadata change, it would cause some github source tarball change. There is no official recommendation on this yet, but due to the github tarball stability, I did add a audit making sure the right source tarball being referenced in the formula. |
Then we can conclude this is due to the renaming of the repository. |
馃憢 While building go@1.21 formula and dependencies, we found that tkey-ssh-agent 0.0.6 source tarball has checksum mismatch, raise this issue to confirm if there was a git re-tagging happened. Thanks! 馃檹
The text was updated successfully, but these errors were encountered: