Closed dvzrv closed 10 months ago
hi Dave,
sorry for that re-tagging back in early june 8th.
afaicr. it was done on the same day and prior to the righteous and official release announcement, maybe just a few minutes apart and quite frankly you should only proceed to release packaging once the "official" release announcement is made, or in the next day to be on the safe side.
also, in the same vein, maybe you can explain why qtractor releases are so fast to cope, but qpwgraph's are so dang slow? the later is still creeping way behind yours (archlinux) tagging detection process--it is short of 3 consecutive release tags already o.O ;)
cheers
ps. otoh. github is not, never was, the "official" project repo; it's just a mirror and sync to true origin may lag sometimes.
afaicr. it was done on the same day and prior to the righteous and official release announcement, maybe just a few minutes apart and quite frankly you should only proceed to release packaging once the "official" release announcement is made, or in the next day to be on the safe side.
Maintaining a couple of hundred packages I unfortunately do not have the luxury to keep lists of when upstreams deem something ready or not yet ready. The fact remains, that retagging is problematic (not only for me).
also, in the same vein, maybe you can explain why qtractor releases are so fast to cope, but qpwgraph's are so dang slow?
The maintainer is sort of M.I.A. I can adopt it and see if I can bump it more frequently!
github is not, never was, the "official" project repo; it's just a mirror and sync to true origin may lag sometimes.
That's fine. I just prefer it for availability, as sourceforge is super slow and often has issues with file downloads.
closing...
Hi! I recently got a ticket for Arch Linux, that points to a checksum mismatch for the 0.9.34 release of qtractor.
As I still had the old tarball from 2023-06-07 I was able to run diffoscope on the new and old tarball (below shows an excerpt with code changes only):
Please don't retag releases. This breaks reproducibility downstream and has downstreams chasing after potential upstream security issues :) Some packagers have automated systems running, that allow them (if timing is right) to download tarballs only a few seconds or minutes after a release has been made. If a mistake happens, it is therefore advisable to just create a newer tag (e.g.
0.9.35
).FWIW, above code change seems benign and I will rebuild the package to fix the issue, but wanted to raise awareness for this problem (as it happens from time to time).