Closed dvzrv closed 4 years ago
At some point in january we saw the macOS binary was wrongly built for OSX 10.15 catalina only, so we decided to rebuild it for 10.12 and later, and update the binary Faust-2.20.2.dmg ) and Faust-2.20.2.dmg. I don't remember uploading the faust-2.20.2.tar.gz which was not the initial intention obviously (since Linux was to affected by the binary but issue). But I probably made the error at that time, sorry for that.
When rebuilding
2.20.2
on Arch Linux for a file removal I stumbled upon a differing checksum for the release tarball.The old tarball was downloaded on 2019-12-09 15:25 CEST, while on 2020-01-14 01:35 2.20.2 got tagged again.
The diff is:
I would like to state that this is really bad practice and I would like to urge you not to do this. While a re-tagging not only breaks reproducible builds and diminishes trust in upstream (e.g. likelihood for supply chain attacks) it additionally adds bug tracker overhead for downstreams (due to breaking builds) and upstreams (to report this) for no reason at all (because proper ways of versioning exist (e.g. #371)).
All in all, this doesn't give me a lot of confidence, that requests by contributors are taken seriously or are valued.