[gentoo-dev] heads up: codeberg changed gzip impls (?) for ${REPO}/archive/${TAG}.tar.gz files

[gentoo-dev] heads up: codeberg changed gzip impls (?) for ${REPO}/archive/${TAG}.tar.gz files

[Arsen Arsenović]

[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]

hi,

it seems that codeberg has changed how they produce their archives on
URLs like <https://codeberg.org/dnkl/foot/archive/${tag}.tar.gz> leading
to digest failures like <https://bugs.gentoo.org/919135>, as implied by
the following checks:

  ~$ diff <(<dls/foot-1.16.2.tar.gz gzip -d) <(</var/cache/distfiles/foot-1.16.2.tar.gz gzip -d)
  ~$ diff <(<dls/foot-1.16.2.tar.gz cat) <(</var/cache/distfiles/foot-1.16.2.tar.gz cat)
  Binary files /dev/fd/63 and /dev/fd/62 differ

the above shows that compressed content differs while decompressed
content remains identical.

(dls/foot-1.16.2.tar.gz is downloaded from the master distfiles mirror,
/var/cache/distfiles/foot-1.16.2.tar.gz is fetched from codeberg at
around two in the morning last night)

you might want to regenerate manifests for projects fetching from
/archive/ urls on codeberg.

Daniel, thank you for working on foot.  may I ask that you attach 'meson
dist'-generated files to releases?  you could also use that opportunity
to hash or sign them, if you so desire.

in either case, thank you again.

have a lovely day, all!
-- 
Arsen Arsenović

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 381 bytes --]

Re: [gentoo-dev] heads up: codeberg changed gzip impls (?) for ${REPO}/archive/${TAG}.tar.gz files

[Arsen Arsenović]

[-- Attachment #1: Type: text/plain, Size: 1065 bytes --]


Arsen Arsenović <arsen@gentoo.org> writes:

> hi,
>
> it seems that codeberg has changed how they produce their archives on
> URLs like <https://codeberg.org/dnkl/foot/archive/${tag}.tar.gz> leading
> to digest failures like <https://bugs.gentoo.org/919135>, as implied by
> the following checks:
>
>   ~$ diff <(<dls/foot-1.16.2.tar.gz gzip -d) <(</var/cache/distfiles/foot-1.16.2.tar.gz gzip -d)
>   ~$ diff <(<dls/foot-1.16.2.tar.gz cat) <(</var/cache/distfiles/foot-1.16.2.tar.gz cat)
>   Binary files /dev/fd/63 and /dev/fd/62 differ
>
> the above shows that compressed content differs while decompressed
> content remains identical.
>
> (dls/foot-1.16.2.tar.gz is downloaded from the master distfiles mirror,
> /var/cache/distfiles/foot-1.16.2.tar.gz is fetched from codeberg at
> around two in the morning last night)
>
> you might want to regenerate manifests for projects fetching from
> /archive/ urls on codeberg.

ps, also filed https://codeberg.org/Codeberg/Community/issues/1366 per
ulms suggestion.
-- 
Arsen Arsenović

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 381 bytes --]

Re: [gentoo-dev] heads up: codeberg changed gzip impls (?) for ${REPO}/archive/${TAG}.tar.gz files

[Eli Schwartz]

On 12/11/23 5:47 AM, Arsen Arsenović wrote:
> hi,
> 
> it seems that codeberg has changed how they produce their archives on
> URLs like <https://codeberg.org/dnkl/foot/archive/${tag}.tar.gz> leading
> to digest failures like <https://bugs.gentoo.org/919135>, as implied by
> the following checks:
> 
>   ~$ diff <(<dls/foot-1.16.2.tar.gz gzip -d) <(</var/cache/distfiles/foot-1.16.2.tar.gz gzip -d)
>   ~$ diff <(<dls/foot-1.16.2.tar.gz cat) <(</var/cache/distfiles/foot-1.16.2.tar.gz cat)
>   Binary files /dev/fd/63 and /dev/fd/62 differ
> 
> the above shows that compressed content differs while decompressed
> content remains identical.
> 
> (dls/foot-1.16.2.tar.gz is downloaded from the master distfiles mirror,
> /var/cache/distfiles/foot-1.16.2.tar.gz is fetched from codeberg at
> around two in the morning last night)
> 
> you might want to regenerate manifests for projects fetching from
> /archive/ urls on codeberg.
> 
> Daniel, thank you for working on foot.  may I ask that you attach 'meson
> dist'-generated files to releases?  you could also use that opportunity
> to hash or sign them, if you so desire.
> 
> in either case, thank you again.
> 
> have a lovely day, all!


It sounds like they completely failed to get the memo about:
https://github.com/orgs/community/discussions/46034

However, I really do wish tremendously that they *would* change all
tarball checksums... for a good reason!

Namely, they need to fix https://github.com/go-gitea/gitea/issues/18078
because currently gitea-based software forges kind of suck and I'd
rather no one used them for anything, lol.

It does appear that since last year when they fixed an unrelated issue,
closed *this* issue as "not fixed but sometime in the future we'll fix
it, we pinky promise"...

... that they've fixed the issue for manually uploaded release assets
where the download url was based on an unpredictable uuid.

So that's sort of kind of a little bit good at least.



-- 
Eli Schwartz