Open bartoldeman opened 1 year ago
boegel
commented
1 year ago Very much +1 on this...
Although there probably was some motivation for doing this, please don't underestimate the impact this have on package managements/installation tools like EasyBuild which use checksums to make sure they're not using a corrupt or somehow hijacked source tarball.
yosefe
commented
1 year ago Agree, it was an unfortunate issue and we're sorry for the inconvenience. Do we want to try recovering the original packages so the sha1 would match?
bartoldeman
commented
1 year ago note it's not clear to me if the unfortunate issue only affected the binaries... if so fixing those is a little more understandable.
However for the sources, if the unpacked result is the same, I don't understand how there could be any issue.
yosefe
commented
1 year ago @bartoldeman can you please post here the ucx-1.13.1.tar.gz that you got from Sep 2022 release?
branfosj
commented
1 year ago $ sha256sum ucx-1.13.1.tar.gz
efc37829b68e131d2acc82a3fd4334bfd611156a756837ffeb650ab9a9dd3828 ucx-1.13.1.tar.gz@branfosj there is no difference in the actual files, but the file dates in the archive are different. I guess this is causing the difference in checksum.
Describe the bug
As described in https://github.com/easybuilders/easybuild-easyconfigs/pull/17077 the ucx-1.13.1 release tarball has changed on January 2nd but its unpacked sources have not. As EasyBuild and other build systems check sha256sums, changing release tarballs should be avoided, and it would be better to then make a new release (1.13.2).
Steps to Reproduce
expected (from Sep 2022 release)
efc37829b68e131d2acc82a3fd4334bfd611156a756837ffeb650ab9a9dd3828 ucx-1.13.1.tar.gzactual value (from Jan 2023 upload)2c4a2f96c700e3705e185c2846a710691b6e800e8aec11fd4b3e47bcc3990548 ucx-1.13.1.tar.gz