jakub-id
commented
1 month ago @cho-m we will take a look at this, I think it's likely that the tarball was modified and re-uploaded. cc @funkymalc
Closed cho-m closed 1 month ago
jakub-id
commented
1 month ago @cho-m we will take a look at this, I think it's likely that the tarball was modified and re-uploaded. cc @funkymalc
jakub-id
commented
1 month ago @cho-m I diffed the Debian tarball against the one from download.indexdata.com and there are only small changes in Makefile.am (Debian patches those) and documentation changes. No code changes. The tarball on download.indexdata.com was updated after the original was published because of said documentation changes. You can safely switch back to download.indexdata.com, we will be publishing 5.34.2 soon.
jakub-id
commented
1 month ago @cho-m yaz-5.34.2 is now available. We will take care not to update the tarball in case the docs are updated.
cho-m
commented
1 month ago Thanks for the confirmation and release notification. I will update to next version in https://github.com/Homebrew/homebrew-core/pull/191394
It looks like the tarball (https://download.indexdata.com/pub/yaz/yaz-5.34.1.tar.gz) changed since the original upload and I wanted to confirm this was a valid/intended modification.
Mainly want to check for security reasons prior to rebuilding Homebrew package (https://github.com/Homebrew/homebrew-core/pull/182130)
On Homebrew side, we used the tarball available on 2024-06-20 (https://github.com/Homebrew/homebrew-core/pull/175236) which had a SHA256 of
c7fd8e0222b3b0d1115ad8e7a2ee67be7a2807624d61d5b71854bf5e167ab7a9. This appears to be the same tarball used by Debian^1 and Fedora^2.https://download.indexdata.com/pub/yaz/ shows the current tarball was uploaded on 2024-06-22 with a sha256 of
393ff4fbbf9194465996236f39efb2962848820247296aec2a6170b0d5d2a44c.