blueness
commented
7 years ago That's why I set up http://dev.gentoo.org/~blueness/eudev/
Closed rossburton closed 7 years ago
blueness
commented
7 years ago That's why I set up http://dev.gentoo.org/~blueness/eudev/
rossburton
commented
7 years ago Oh that's awesome. You should consider uploading them as you make releases to github so people like me don't bother you. :)
Ross
blueness
commented
7 years ago i'm not sure how to do that
rossburton
commented
7 years ago When you make a release (ie tag the repo) go to https://github.com/gentoo/eudev/releases, press Create a New Release, pick the tag, and drag the tarball you've already make into the page. Github will associate the tarball with the tag and let users download it.
Ross
On 18 September 2017 at 22:42, Anthony G. Basile notifications@github.com wrote:
i'm not sure how to do that
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gentoo/eudev/issues/151#issuecomment-330364840, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB-ipRIqHoVDRZdoWhJzJOg6VAWDXKsks5sjuO1gaJpZM4PbSN_ .
williamh
commented
7 years ago I think when github generates archives, it uses "git archive" which uses the timestamp in the tag for the timestamp in the archive. Because of that, the archive's checksum will never change no matter how many times you generate the archive.
rossburton
commented
7 years ago On 18 September 2017 at 23:22, William notifications@github.com wrote:
I think when github generates archives, it uses "git archive" which uses the timestamp in the tag for the timestamp in the archive. Because of that, the archive's checksum will never change no matter how many times you generate the archive.
Unless tar changes and the bitstream of the tarball is different (with identical contents). Ditto for gzip.
For a few years this has been a hypothetical situation but I've actually seen it happen with an erlang tarball recently and Github have confirmed that whilst they cache the tarballs, they're not stored forever.
At some point the checksum will change. It's very annoying when it does for our build system (enforced checksum validation on fetch), so I'm preemptively removing all use of /archive/ tarballs.
Ross
EvaSDK
commented
6 years ago I was ready to comment about it being a documentation issue but it appears that the tarball release location is written in the readme already.
rossburton
commented
6 years ago In which case I apologise for not noticing that!
Ross
On 20 September 2017 at 15:27, Gilles Dartiguelongue < notifications@github.com> wrote:
I was ready to comment about it being a documentation issue but it appears that the tarball release location is written in the readme already.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gentoo/eudev/issues/151#issuecomment-330868708, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB-io8CTnD-xwQzzQGWEzJP3guwm6Plks5skSC0gaJpZM4PbSN_ .
GitHub /archive/[tag].tar.gz tarballs (eg https://github.com/gentoo/eudev/archive/v3.2.4.tar.gz) are generated on demand and cached, so over time can and will change. Assuming the tag never changes the extracted contents are identical but the actual tarball may have a different checksum over time.
This makes it hard to use /archive/ tarballs with distributions which verify downloaded tarballs with a checksum (such as openembedded, which uses eudev out of the box). Would you consider uploading a static maintainer-generated tarball when you tag a release?