0.9.34 has been retagged

[dvzrv]

Hi! I recently got a ticket for Arch Linux, that points to a checksum mismatch for the 0.9.34 release of qtractor.

As I still had the old tarball from 2023-06-07 I was able to run diffoscope on the new and old tarball (below shows an excerpt with code changes only):

│ ├── qtractor-qtractor_0_9_34/src/qtractorClapPlugin.cpp
│ │ @@ -442,23 +442,23 @@
│ │             plugin->get_extension(plugin, CLAP_EXT_AUDIO_PORTS));
│ │     if (audio_ports && audio_ports->count && audio_ports->get) {
│ │         clap_audio_port_info info;
│ │         const uint32_t nins = audio_ports->count(plugin, true);
│ │         for (uint32_t i = 0; i < nins; ++i) {
│ │             ::memset(&info, 0, sizeof(info));
│ │             if (audio_ports->get(plugin, i, true, &info)) {
│ │ -           //  if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │ +               if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │                     m_iAudioIns += info.channel_count;
│ │             }
│ │         }
│ │         const uint32_t nouts = audio_ports->count(plugin, false);
│ │         for (uint32_t i = 0; i < nouts; ++i) {
│ │             ::memset(&info, 0, sizeof(info));
│ │             if (audio_ports->get(plugin, i, false, &info)) {
│ │ -           //  if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │ +               if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │                     m_iAudioOuts += info.channel_count;
│ │             }
│ │         }
│ │     }
│ │  
│ │     m_iMidiIns = 0;
│ │     m_iMidiOuts = 0;
│ ├── qtractor-qtractor_0_9_34/src/qtractor_plugin_scan.cpp
│ │ @@ -1,11 +1,11 @@
│ │  // qtractor_plugin_scan.cpp
│ │  //
│ │  /****************************************************************************
│ │ -   Copyright (C) 2005-202, rncbc aka Rui Nuno Capela. All rights reserved.
│ │ +   Copyright (C) 2005-2023, rncbc aka Rui Nuno Capela. All rights reserved.
│ │  
│ │     This program is free software; you can redistribute it and/or
│ │     modify it under the terms of the GNU General Public License
│ │     as published by the Free Software Foundation; either version 2
│ │     of the License, or (at your option) any later version.
│ │  
│ │     This program is distributed in the hope that it will be useful,
│ │ @@ -1502,23 +1502,23 @@
│ │                 m_plugin->get_extension(m_plugin, CLAP_EXT_AUDIO_PORTS));
│ │         if (audio_ports && audio_ports->count && audio_ports->get) {
│ │             clap_audio_port_info info;
│ │             const uint32_t nins = audio_ports->count(m_plugin, true);
│ │             for (uint32_t i = 0; i < nins; ++i) {
│ │                 ::memset(&info, 0, sizeof(info));
│ │                 if (audio_ports->get(m_plugin, i, true, &info)) {
│ │ -               //  if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │ +                   if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │                         m_iAudioIns += info.channel_count;
│ │                 }
│ │             }
│ │             const uint32_t nouts = audio_ports->count(m_plugin, false);
│ │             for (uint32_t i = 0; i < nouts; ++i) {
│ │                 ::memset(&info, 0, sizeof(info));
│ │                 if (audio_ports->get(m_plugin, i, false, &info)) {
│ │ -               //  if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │ +                   if (info.flags & CLAP_AUDIO_PORT_IS_MAIN)
│ │                         m_iAudioOuts += info.channel_count;
│ │                 }
│ │             }
│ │         }
│ │  
│ │         const clap_plugin_note_ports *note_ports
│ │             = static_cast<const clap_plugin_note_ports *> (

Please don't retag releases. This breaks reproducibility downstream and has downstreams chasing after potential upstream security issues :) Some packagers have automated systems running, that allow them (if timing is right) to download tarballs only a few seconds or minutes after a release has been made. If a mistake happens, it is therefore advisable to just create a newer tag (e.g. 0.9.35).

FWIW, above code change seems benign and I will rebuild the package to fix the issue, but wanted to raise awareness for this problem (as it happens from time to time).

[rncbc]

hi Dave,

sorry for that re-tagging back in early june 8th.

afaicr. it was done on the same day and prior to the righteous and official release announcement, maybe just a few minutes apart and quite frankly you should only proceed to release packaging once the "official" release announcement is made, or in the next day to be on the safe side.

also, in the same vein, maybe you can explain why qtractor releases are so fast to cope, but qpwgraph's are so dang slow? the later is still creeping way behind yours (archlinux) tagging detection process--it is short of 3 consecutive release tags already o.O ;)

cheers

ps. otoh. github is not, never was, the "official" project repo; it's just a mirror and sync to true origin may lag sometimes.

[dvzrv]

afaicr. it was done on the same day and prior to the righteous and official release announcement, maybe just a few minutes apart and quite frankly you should only proceed to release packaging once the "official" release announcement is made, or in the next day to be on the safe side.

Maintaining a couple of hundred packages I unfortunately do not have the luxury to keep lists of when upstreams deem something ready or not yet ready. The fact remains, that retagging is problematic (not only for me).

also, in the same vein, maybe you can explain why qtractor releases are so fast to cope, but qpwgraph's are so dang slow?

The maintainer is sort of M.I.A. I can adopt it and see if I can bump it more frequently!

github is not, never was, the "official" project repo; it's just a mirror and sync to true origin may lag sometimes.

That's fine. I just prefer it for availability, as sourceforge is super slow and often has issues with file downloads.

[rncbc]

closing...