search

solo-io / squash

The debugger for microservices
https://squash.solo.io
Apache License 2.0
1.74k stars 103 forks source link

squashctl shasums out of sync #220

Closed bacongobbler closed 5 years ago

bacongobbler commented 5 years ago

The outcome of this issue is that squashctl 0.5.16 fails to install using gofish install squashctl.

It looks like a new version of the CLI was re-uploaded, breaking the checksum. This is a cause for concern as the original PR succeeded the checksum check, indicating that the binary being shipped has been changed since it was last released. That means there are two versions of squashctl 0.5.16 out there, and that would indicate that re-compiling squashctl from a tag will end with differing results.

This has occurred before with 0.5.14 and was recorded in https://github.com/fishworks/fish-food/issues/180.

Is there a way the CI process could produce identical squashctl CLIs when building from a tag? That way, compiling squashctl a second time won't output two separate shasums (and break package release integrity).

mitchdraft commented 5 years ago

Thanks for the feedback @bacongobbler. We are tracking some stability issues that cause releases to fail.

When we refactor the release pipeline to decouple the various publish steps this issue should not reoccur.

Regarding the repeatability of the sha, we have one known source of entropy:

squashctl --version
squashctl version 0.5.15, created 2019-05-14.23:26:51

There may be others but we can replace the timestamp with a commit sha