search

audacity / audacity

Audio Editor
https://wiki.audacityteam.org/wiki/For_Developers
Other
12.54k stars 2.27k forks source link

2.3.3 has been retagged #421

Closed dvzrv closed 4 years ago

dvzrv commented 4 years ago

Describe the bug The tag Audacity-2.3.3 has apparently been re-done on 2019-11-28 according to the release notes.

When packaging 2.3.3 for Arch Linux, I have used a tarball downloaded on 2019-11-22 14:21 CEST. However, that one had a different checksum, which breaks reproducibility of the audacity package.

While I understand, that changes to software are inevitably to be done, I urge you to please not retag versions, but rather just release a new version (e.g. 2.3.4). After all, the code has been changed!

Thanks for your consideration!

To Reproduce Steps to reproduce the behavior:

  1. Be (un)fortunate enough to download a tarball before the version got re-tagged
  2. Have downstream bug reports
  3. Move initially downloaded tarball to backup location
  4. Diff old and new version and hope that the resulting patch (see below) doesn't eat your kittens
  5. Write an upstream bug report

Expected behavior When downloading a tarball, that was created by a git tag, it will never change in content.

Screenshots

diff -ruN audacity-2.3.3/mac/scripts/build_dist2.sh audacity-2.3.3-old/mac/scripts/build_dist2.sh
--- audacity-2.3.3/mac/scripts/build_dist2.sh   2019-11-15 12:14:55.000000000 +0100
+++ audacity-2.3.3-old/mac/scripts/build_dist2.sh   1970-01-01 01:00:00.000000000 +0100
@@ -1,105 +0,0 @@
-set -x
-
-# Setup
-VERSION=`awk '/^#define+ AUDACITY_VERSION / {print $3}' build/Info.plist.h`
-RELEASE=`awk '/^#define+ AUDACITY_RELEASE / {print $3}' build/Info.plist.h`
-REVISION=`awk '/^#define+ AUDACITY_REVISION / {print $3}' build/Info.plist.h`
-VERSION=$VERSION.$RELEASE.$REVISION
-
-cd "${DSTROOT}"
-chmod -RH "${INSTALL_MODE_FLAG}" "${TARGET_BUILD_DIR}"
-chown -RH "${INSTALL_OWNER}:${INSTALL_GROUP}" "${TARGET_BUILD_DIR}"
-
-echo "Audacity has been installed to: ${DSTROOT}"
-
-cd ..
-
-VOL="Audacity $VERSION"
-DMG="audacity-macos-$VERSION"
-
-# Preclean
-rm -rf "$DMG" "$DMG.dmg" TMP.dmg
-
-# Create structure
-mkdir "$DMG"
-cp -pR "${DSTROOT}/" "${DMG}"
-
-#Add a custom icon for the DMG
-#cp -p mac/Resources/Audacity.icns "${DMG}"/.VolumeIcon.icns
-
-# Make sure it's not already attached
-ATTACHED=$(hdiutil info | awk "/\/Volumes\/${VOL}/{print \$1}")
-if [ -n "${ATTACHED}" ]
-then
-   hdiutil detach "${ATTACHED}"
-fi
-
-# Create and mount the image
-hdiutil create -ov -format UDRW -srcdir "$DMG" -fs HFS+ -volname "$VOL" TMP.dmg
-if [ $? -ne 0 ]
-then
-   echo "Create failed"
-   exit 1
-fi
-
-#Mount the DMG and store the name it was mounted with
-TITLE=$(hdiutil attach TMP.dmg | grep \/Volumes | sed "s/^.*\/Volumes\///")
-if [ $? -ne 0 ]
-then
-   echo "Attach failed"
-   exit 1
-fi
-
-# And wait for it to show up in Finder
-osascript <<EOF
-   tell application "Finder"
-      repeat until exists disk "${TITLE}"
-         log "Waiting for ${TITLE} to appear"
-         delay 0.2
-      end repeat
-   end tell
-EOF
-
-#Set the custom icon flag
-#SetFile -a C /Volumes/"$TITLE"
-
-#Make our DMG look pretty and install the custom background image
-echo '
-   tell application "Finder"
-     tell disk "'$TITLE'"
-           open
-           set current view of container window to icon view
-           set toolbar visible of container window to false
-           set statusbar visible of container window to false
-           set the bounds of container window to {400, 100, 1000, 550}
-           set theViewOptions to the icon view options of container window
-           set arrangement of theViewOptions to not arranged
-           set icon size of theViewOptions to 72
-           set background picture of theViewOptions to file ".background:Audacity-DMG-background.png" 
-           make new alias file at container window to POSIX file "/Applications" with properties {name:"Applications"}
-           set position of item "Audacity" of container window to {170, 350}
-           set position of item "Applications" of container window to {430, 350}
-           close
-           open
-           update without registering applications
-           delay 5
-           eject
-     end tell
-   end tell
-' | osascript
-
-# Compress and prepare for Internet delivery
-hdiutil convert TMP.dmg -format UDZO -imagekey zlib-level=9 -o "$DMG.dmg"
-
-# Create zip version
-rm -rf "${DMG}/.background"
-rm -rf "${DMG}/Audacity.app/help/"
-zip -r9 "${DMG}.zip" "${DMG}"
-
-# Cleanup
-#rm -rf ${DMG} TMP.dmg
-echo 'resizing and openning dmg'
-hdiutil resize -size 200m TMP.dmg
-hdiutil mount TMP.dmg
-echo 'declutter the dmg, sign, compress and sign it'
-
diff -ruN audacity-2.3.3/src/Audacity.h audacity-2.3.3-old/src/Audacity.h
--- audacity-2.3.3/src/Audacity.h   2019-11-15 12:14:55.000000000 +0100
+++ audacity-2.3.3-old/src/Audacity.h   2019-11-15 00:28:15.000000000 +0100
@@ -39,7 +39,7 @@
 // Its value may be more than 0 for pre-release "Beta" builds that differ only
 // in the welcome screen, and hiding of some development menu commands, but
 // still link to the alpha manual online.
-#define AUDACITY_BUILD_LEVEL 2
+#define AUDACITY_BUILD_LEVEL 0

 // used #ifdef not #if for IS_ALPHA, IS_BETA, IS_RELEASE, USE_ALPHA_MANUAL
 #undef IS_ALPHA

Additional information (please complete the following information):

Additional context To prevent supply chain attacks and establish a form of trust in upstreams it is viable to not retag a version.

Retagging versions, especially for a repository without any form of author verification (e.g. PGP signed tags and commits) breaks the reproducible build effort and trust in a given upstream (e.g. a developer could have been hacked, added malicious code and retagged a version) while introducing unnecessary bug reporting overhead for downstreams.

SteveDaulton commented 4 years ago

Unfortunately, when Audacity 2.3.3 was released, the wrong commit was tagged. The tag pointed to the final 2.3.3 alpha (commit eb2161), rather than the first 2.3.3 release (commit 008d8d8). This was spotted a few days later and corrected. As you will see from the build information (Audacity "Help menu > About Audacity") you will see that commit eb2161 is NOT a release version. Apologies for the confusion.

tadywankenobi commented 4 years ago

I'm getting an Cloudflare 1020 error when trying to access the audacity website, would it have anything to do with this release?

JamesCrook commented 4 years ago

Nope, the Cloudflare 1020 error does not have anything to do with this release.