Describe the bug
Hi! I package this project for Arch Linux.
It appears you have altered the uploaded tarball for 21.10.0:
I have a tarball downloaded on 2021-10-27, which has the b2sum 78fa8e41261eed836edc42cd311f85b46ad81279b33d64ee17a8937e383fea5b87acc589da60be921569e2f6d9a7bdf8ce285515030425ffff86c081bb60a64a.
The current tarball however has the checksum 87ea3d94e15f88f1d1e6c495e190e729fb60345336169c17aed9cd8955cc85bc6d802beaa1cd6f779e5586b336bba5c888e29e5a0b0202e6a011de77d89c30c3.
To Reproduce
Download a tarball for 21.10.0 on 2021-10-27, then download it now.
Expected behavior
The tarballs never change.
Screenshots
n/a
Your Enviroment
SMTube version: 21.10.0
OS: Arch Linux
Additional context
Checksums are used by downstreams to ensure reproducibility for a given package and to guard against supply chain attacks.
Arbitrarily changing an already released tarball is bad practice as it breaks reproducibility and has downstreams chasing upstreams to clarify the differences between two tarballs (in this case negligible).
Please just release a new version if this happens in the future (e.g. that is what 21.10.1 would be used for), as the consequences for downstreams are not great at all.
Describe the bug Hi! I package this project for Arch Linux. It appears you have altered the uploaded tarball for 21.10.0:
I have a tarball downloaded on 2021-10-27, which has the b2sum
78fa8e41261eed836edc42cd311f85b46ad81279b33d64ee17a8937e383fea5b87acc589da60be921569e2f6d9a7bdf8ce285515030425ffff86c081bb60a64a
. The current tarball however has the checksum87ea3d94e15f88f1d1e6c495e190e729fb60345336169c17aed9cd8955cc85bc6d802beaa1cd6f779e5586b336bba5c888e29e5a0b0202e6a011de77d89c30c3
.The diff of the contents of the tarballs is:
To Reproduce Download a tarball for 21.10.0 on 2021-10-27, then download it now.
Expected behavior The tarballs never change.
Screenshots n/a
Your Enviroment
Additional context Checksums are used by downstreams to ensure reproducibility for a given package and to guard against supply chain attacks. Arbitrarily changing an already released tarball is bad practice as it breaks reproducibility and has downstreams chasing upstreams to clarify the differences between two tarballs (in this case negligible). Please just release a new version if this happens in the future (e.g. that is what 21.10.1 would be used for), as the consequences for downstreams are not great at all.