Has 2.1.0 been retagged (some time after 2023-12-25)?

[dvzrv]

Hi! :wave:

I'm currently looking into upgrading the package for this project on Arch Linux. We have updated the package to 2.1.0 on 2023-12-25: https://gitlab.archlinux.org/archlinux/packaging/packages/python-email-validator/-/commit/39473a30a13a783b4f146da8e44d8dd151c17a45

Here a SHA-512 checksum of d285404f6735e0cd33385060c483a4dd4e12ace4b2e7027f8cd360901bc640ae999eb5d3ec2b98530e53af48f8e6c180d65cb53eec4de5a1617149ab76027901 was locked for the tarball.

Today I downloaded the sources and am met with a different checksum: e2dfc9b025e95ee2528cb3598c4b77dc9feb6335737de6a621bb968c499a07da75315422df9ed29d9b7d6dcc6a89da73d4d1c646b62b6824050216e25377166a

The most plausible explanation is usually, that a tag has been deleted and recreated (somewhere else). Worst case this is a supply chain attack that we would likely want to guard ourselves against :sweat_smile:

@JoshData can you provide some insight into this?

[JoshData]

I think that was me. I'll confirm later today.

Glad to know someone is paying attention to the hashes!

[JoshData]

The v2.1.0 tag points to the 2.1.0-post1 release, which corrected #118. I think I remember re-tagging it to pull the original 2.1.0 release.

Apologies for the confusion.

[dvzrv]

Thanks for providing clarification for this issue! FWIW, I think PyPI natively supports post releases?

Please just create a new tag in the future, as downstreams do rely on tag commits and/or auto-generated source tarballs. Changing them breaks reproducible build efforts and then generates overhead for packagers, as they (should) reach out to upstream to clarify the situation.

Either way, thanks for the explanation! :bow:

[JoshData]

Totally fair. I'll try not to do that again. I've been on the other side of this problem and have felt the frustration. :)