search

VDR4Arch / vdr4arch

VDR PKGBUILDs for Arch Linux
34 stars 22 forks source link

"Release" tarball checksum of markad plugin 3.4.3 changed #248

Closed tmn505 closed 10 months ago

tmn505 commented 10 months ago

Describe the problem

Unfortunately these "release" tarballs are dynamically generated and it was never guaranteed that the procedure of creating them will never change (https://github.com/libgit2/libgit2/issues/4343). There was big outburst about it year ago, when update of git version on the GH servers caused recreation of cached tarballs. Naturally the checksums changed and because of fast revert we weren't affected, but the immutability is still not guaranteed and checksums will change in the future (https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes).

The simplest remedy I see is to simply use git checkout with "#release=x.y.z" appended, then we don't have to bother about checksum. The other one, would be downloading using hash as value instead of release which looks like this "https://github.com/kfb77/vdr-plugin-markad/archive/e5c3f4971778b3ef9e4eb64d88ff3a02844a0c38.tar.gz". It's not beautiful but git archive should (I'm not 100% sure) always generate archive with same checksum, since we always ask for same object, which is not parsed through some codepage.

To reproduce

Download https://github.com/kfb77/vdr-plugin-markad/archive/refs/tags/V3.4.3.tar.gz

Expected behavior

Should match dd18e82e9d1c99cbda07f0e23fa9d390eb6f7c8a4cc4b311e4adc39c9c01d956 instead has 4c5892fd8d725e53b8bb2aaa679527b80e3443b6abd16d7d495cb7d877075305

Additional context

One possible reason that checksum changed might be that @kfb77 rebased and force pushed changes to the repository but that still is not the main issue.

Issue checklist

kfb77 commented 10 months ago

Guilty as charged I got a cppcheck error from github workflow in this release. I fixed this, rebase and force push before anounce the new version. I usually never rebase in master branch.

M-Reimer commented 10 months ago

Thank you for picking this up.

Yesterday I already analyzed this to check if something malicious may have happened. I have a cache on my personal build VM and still had the "old" tarball. It was basically one line different which made me confident that this was a force push.

My preferred way to fix is to just update to the latest version.

M-Reimer commented 10 months ago

Updated package which fixes this issue