Did 0.0.6 release get re-tagged?

[chenrui333]

👋 While building go@1.21 formula and dependencies, we found that tkey-ssh-agent 0.0.6 source tarball has checksum mismatch, raise this issue to confirm if there was a git re-tagging happened. Thanks! 🙏

[stefanb]

Could it be related to renaming of repository?

[chenrui333]

Could it be related to renaming of repository?

nope, see this example https://github.com/Homebrew/homebrew-core/pull/157076

[dehanj]

This is a mystery! No re-tagging as far as we are aware.

We confirmed before renaming the repository that it should not affect the formula since github redirects. That is also why we haven't done a PR to homebrew-core just yet.

But thanks for point this out, I will try and see if I can find out why it has changed. Interesting enough the GUI still says the tar.gz was uploaded Mar 27, 2023, so that means it should have been wrong all along?

[dehanj]

Been digging a bit, cannot find any valid reason for a checksum change. The tag v0.0.6 is still form Mar 27, 2023 on the same commit: 40f4aec.

So the only reason I can see is that Github does not guarantee checksum stability. Can that be the reason?

Here is some reading on Githubs standpoint.

[chenrui333]

So the only reason I can see is that Github does not guarantee checksum stability. Can that be the reason?

recently, we found that zrok has the similar checksum stability issue, see https://github.com/openziti/zrok/issues/561

[dehanj]

Okay, so I cloned a fresh repo, checked out the tag v0.0.6. Then i downloaded the source code using the url in our formula, uncompressed it.

I compared the two folders using diff -ru tkey-ssh-agent ~/Downloads/tkey-ssh-agent-0.0.6 I get

Only in tkey-ssh-agent: .git

So no difference that is not expected.

I do get this checksum (the same as in the PR) b0ace3e21b9fc739a05c0049131f7386efa766936576d56c206d3abd0caed668 tkey-ssh-agent-0.0.6.tar.gz

So I guess we can conclude that the new checksum is valid, and the explanation is that Github simply now generates a different checksum. I think we can close this issue now.

[chenrui333]

So I guess we can conclude that the new checksum is valid, and the explanation is that Github simply now generates a different checksum. I think we can close this issue now.

If you dont mind, can you also report this to github to see if we can get some help on understanding the root cause?

On the similar note, we (homebrew) recently, we had a bit thread on the cog checksum mismatch, which might also help.

[dehanj]

If you dont mind, can you also report this to github to see if we can get some help on understanding the root cause?

Sure!

On the similar note, we (homebrew) recently, we had a bit thread on the cog checksum mismatch, which might also help.

Great, this might give some insight. Will look it through.

[dehanj]

I have filed a support ticket with Github to see if they can help understand the issue.

I don't find we have the same issue as Cog had. AFAIK we don't have a .git_archival.txt or similar. We have also had rebuilds on homebrew on the same tag in August of 2023, four months after the tag was created and the checksum had not changed.

I really cannot find any explanation to this. I will wait and see the response from Github Support. Unless anyone has any other suggestion of what to look into.

[chenrui333]

@dehanj another idea, can we upload the source tarball as github asset into each release (in that way, it wont be changed at all)

[dehanj]

@chenrui333 Sure, that is possible. It won't give any insight to why this happened thou.. The reason we used the tarball from Github is because we thought it was standard procedure. Maybe we are wrong?

This might not be a discussion that should happen in this issue, but I'm curious. What is Homebrew's official recommendation on how to provide the source code to the Formula? Since GitHub my be re-generating the tar.gz to save space, and since GitHub has never guaranteed checksum stability (even if it seems like it has been taken for granted, but actually seldomly has changed).

[chenrui333]

The reason we used the tarball from Github is because we thought it was standard procedure. Maybe we are wrong?

yeah, it is the default source code tarball, we just took it for convenience, but if projects have release source tarball rather than the github one, we intend to use them instead of the github default.

Since GitHub my be re-generating the tar.gz to save space, and since GitHub has never guaranteed checksum stability (even if it seems like it has been taken for granted, but actually seldomly has changed).

but like what @ZhongRuoYu found in https://github.com/Homebrew/homebrew-core/pull/162731#issuecomment-1974978327, whenever the metadata change, it would cause some github source tarball change.

There is no official recommendation on this yet, but due to the github tarball stability, I did add a audit making sure the right source tarball being referenced in the formula.

[dehanj]

Then we can conclude this is due to the renaming of the repository. Thanks for the help!