Closed chenrui333 closed 1 year ago
It didn't get re-tagged, but the source tarball on the github release page did get re-uploaded.
The version of the tarball that's available now (both on github and mosh.org) is the right version to use, with sha256:872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd
It seems that some people downloaded the tarball from github before the official announcement (and re-upload), and this has caused some confusion. We're sorry about this.
It didn't get re-tagged, but the source tarball on the github release page did get re-uploaded.
The version of the tarball that's available now (both on github and mosh.org) is the right version to use, with sha256:872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd
It seems that some people downloaded the tarball from github before the official announcement (and re-upload), and this has caused some confusion. We're sorry about this.
no worries, just to double confirm the release flow. Thanks!!
Historically, for every version, I've built the release tarball and put the SHA-256 hash of it in the PGP-signed release announcement (https://mosh.org/mosh-1.4.0-released.html). The release tarball itself is published on mosh.org and is mirrored elsewhere.
We now have a GitHub workflow that auto-builds release tarballs, and I expect soon we'll move to signing those (and just double-checking their output) instead of building locally, but I wanted to stay consistent with past practice for this release. The PGP-signed release announcement is the authoritative description of the release.
Did release 1.4.0 got re-tagged? Found the checksum mismatch when building the new bottle, raising this issue to double confirm. Thanks!