From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-100836-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 6CC0E158013
	for <garchives@archives.gentoo.org>; Mon, 11 Dec 2023 13:43:46 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 77E812BC03D;
	Mon, 11 Dec 2023 13:43:42 +0000 (UTC)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 33C922BC02E
	for <gentoo-dev@lists.gentoo.org>; Mon, 11 Dec 2023 13:43:42 +0000 (UTC)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-5c85e8fdd2dso43055827b3.2
        for <gentoo-dev@lists.gentoo.org>; Mon, 11 Dec 2023 05:43:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1702302220; x=1702907020; darn=lists.gentoo.org;
        h=content-transfer-encoding:in-reply-to:autocrypt:from:references:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=NuCcOOPttdqevNS+DvK4R26Sawp7H4LRHX6jn9rjFLU=;
        b=JU8nBF5OEH2ANAm2KMRDeDArmipOGAqIcChm89fY9vUKMhKBTQU/GPhz++qIpj6dkO
         ffwWzoWbtJavoy/JDuBvs63blgzhxayEcBshmERSEhJ/rUQa2Hul+7tkCT9oDQshhDt1
         xMb2TPP+/cspPuqvALtD47G8+OXLbQT6C5YAgTJRy/KcVwXQH385HnpwiRRDjl2u+v5S
         VThG3yEq1vH4FNsacTTy8NH5NE8jomvN3ktOqp8bMhepJRZWDkRDIsE/NhjfY3Ujxmvx
         v+M7YEkja1LjjeLcY8NH34dJSsTd1+vK3yOFKFLQ3WZbZx4HQ+lqVP6u1RuSRGx3rMNO
         l4RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702302220; x=1702907020;
        h=content-transfer-encoding:in-reply-to:autocrypt:from:references:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=NuCcOOPttdqevNS+DvK4R26Sawp7H4LRHX6jn9rjFLU=;
        b=Hfj6lkn1uC0TjTDPf4jNINeedbgtjkh559RZKTTaZe0YEGlvq5fOv7yeVI1fLU1hRo
         rhjllgHQzJPyQe2bGZuR/dtsY6M4h2RIH3WiZn/oiFNO4sEYoOL9JrAEeqR5azLauAfl
         gkXv4wrq54QQbhgayrzT/oKOvJ5SrzNPss8QhBC9DrD2gp/ytsIckE4sVDSubYBOErHA
         THPC/aOXtgiXQwGecNYi/KVxvdiKPYUbbp9y9j1bUvVbjuOu+W7UGRHN6Y8B0coh2T21
         0xuSIb+eKX+oh73AxEfxXedEl5SB4jNhEfAY2hhevbVGlV3RBjRry0NjCdK7Admoga4Y
         u2bA==
X-Gm-Message-State: AOJu0YxSsJCSuf2qZtqaVDwftoigmtxOoJZ0dp3qWUO4w7fEuYqrdcrT
	q6HJtCO54tSDviGll68SzFN+O7QAV5M=
X-Google-Smtp-Source: AGHT+IFG5IWWxoYZ8sDHIv7Fn9+jC+eQ8Q8ZHx6v7Ela3e6OXzPBepQYwgt/DzMLlOpWfk9nqzLVag==
X-Received: by 2002:a0d:e20e:0:b0:5c9:8366:33b2 with SMTP id l14-20020a0de20e000000b005c9836633b2mr3623770ywe.44.1702302220472;
        Mon, 11 Dec 2023 05:43:40 -0800 (PST)
Received: from [192.168.1.89] (108-200-163-197.lightspeed.bcvloh.sbcglobal.net. [108.200.163.197])
        by smtp.gmail.com with ESMTPSA id w5-20020a0dd405000000b005d23b8a7e1bsm3019794ywd.91.2023.12.11.05.43.39
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 11 Dec 2023 05:43:39 -0800 (PST)
Message-ID: <9c150c49-74e0-42c5-8120-2eebe782833a@gmail.com>
Date: Mon, 11 Dec 2023 08:43:35 -0500
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [gentoo-dev] heads up: codeberg changed gzip impls (?) for
 ${REPO}/archive/${TAG}.tar.gz files
Content-Language: en-US
To: gentoo-dev@lists.gentoo.org, =?UTF-8?Q?Arsen_Arsenovi=C4=87?=
 <arsen@gentoo.org>, =?UTF-8?Q?Daniel_Ekl=C3=B6f?= <daniel@ekloef.se>
References: <86h6kpaty4.fsf@gentoo.org>
From: Eli Schwartz <eschwartz93@gmail.com>
Autocrypt: addr=eschwartz93@gmail.com; keydata=
 xsFNBFcpfj0BEADkTcFAwHJmtXbR7WHu6qJ3c83ccZl4qjBsU//JEn9yTtfj8M2a3g+lpGAF
 C/8isGz9InmrqBn1BXQFwcySAkRYuromR5ZPH1HIsv21RTtJbo5wCs8GlvoRYsp5pE7JEIVC
 RsWixG5pFhinlssUxtm0szlrzfaKanohWDfj+2WuWh4doXJZtTQePCGpouSziButkwkgQMqE
 U+ubBiTtjF/f/oCyC6YMWx+5knaqNSWxjF52rXAngVD0YYAiJ7o0KOQhrC2RLF+l0x4hRikp
 QaZrqVL1CaP7gjceOlOZ/zdCOImAaha9ygZiJG652HCIPfsy7uypYwxoMEeldoTnsXbjJXuL
 fMwIp8dCVbKMhebXdCNIWCjNewusz3I4+JjOO+uPgA+YgHu8+A56tpJ7lmHw5C95XjheXt/N
 bo9HONG4oeILZ9pQxnx93ocZM6v0W+taoBbPzOLE0al7Oy5vmJwO/QkprDU/TkzPtrgiCKPV
 Ml/+smp5FXbOjp/Y5UVlFmj2aemDIVAv70RlewAytwQLdGHLv3Au81hq5xrX7JAopEkfhYJY
 g2+7s78C0VaMPXHw2XyLpj5uPBR2q8KihSaASfhGBH0IcxLd+lEq1+NHT2l/WlQVjRfXHZns
 k8giW8M12TJZvvm9rpXMAFk7zSmmojp1M/7+ImOTcDYvErW1iQARAQABzSRFbGkgU2Nod2Fy
 dHogPGVzY2h3YXJ0ejkzQGdtYWlsLmNvbT7CwZQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
 AQACHgECF4AWIQS9J7B6XvRcKtr3DgSEgYpoGa9KmwUCYstIWwUJEUVkngAKCRCEgYpoGa9K
 m50AEACoEoXaBaVerjTGbezOHK8J+GWkDJQ8wetJJfHhBgDq/lypKF+1LmolXAkmJF29ShBx
 r9zr5n91E1xn4bX53X8NdVAf2r/dFMtzlu0jsl0UcZ6OllpkTBtWqbjNgAI+C/v/lbBVcCz+
 irtrRfM/guLNaaUuZlh+Qtt4kdKygP64jhqRude/eD0tAVzXbnka0k2E40dNT8W23SPnbjJh
 gpZeGeufIf8xFddDdLaqZMuxjDcxqq1jcasPB8M57Vkt5NpTaIvCtO4ZWejoj9im+Onsdvfs
 3mCHr1DcIEAYj36/2U8yXzpsdgFXD96WcLFRL3l4ELTAPua3MFNdty6Bf35Yli1Fby4yOnf8
 5UQd4SRh1pYqBoBw7uEtY8qOJR+bvqo2XnTrR9HVYBZVrVhFe/CCSxOfm2ZxZn2bzMzoJZ5X
 jcMNGdkHVcutvgJOIUASnwSoJM4hoVdwRmGgrT1Mu18rkk05+NjElPmGcn9vFZXVddnqvuqd
 gf4di2xl0adpWgFFSfKeOBjNcPSQqNLjNcJTGVJ0lvlmGcYfyw020IoGu/bBEUpQA12i/4JE
 N5Qx1frWsvXQ+ioJkFsjydbpWqLR5xI44p1FWU2lwKT4QbtSkgx9sHOec+DIIarwxqDiMXR9
 ZhG/Ue7+pXAVD/Zs/XtxXCZQBhl7keIXTmZKTccuYM7BTQRXKX49ARAAo1bWz1d7RvffuaX9
 SAOqQEfeEHaRilIKpqU5+yuBSd7vLNF1QPb105cuMJtj0bHhQnqYlToNODAHn9Ug+Axgz3dT
 +s8j1/mizFLfgpHnWdNr7/a1lMPhmPqtoeEdUAd0bqX94xHedZBtlvhLAwoelNhatJkqbrWc
 voI9d3RMLA3tPrTxY6aeDTa+5LL8oHeZ04KXlWxQIqxXT+e0JEs+0V9viicYy/8i4DqfObtr
 jdNOV3cKCW3rmNTATlVmciGY8xHkwM77C67ibFyYOdoYo6IP7EUI1oTBZN1M2A23sSgUlAHP
 qPFwD38JPiBLYu5pIA3SwDaatTD/+BEdhsiIQsZaWsn0E98Bb0bHfukMvEYFEcwA//HXTVIN
 SGry/Tc9baIgD0hG8ImDCbR9RfXdz0uzelHypcKGnGB7FLtZ8Vw4swa06CXEGG0Oo5AfYRuU
 2bQtFxH66xHEFSfgfpTy5nHTH9Ra1mTtpoDil6rMLq1q43w5XP7oEucZwdZa+hlj2M4I/i+I
 gcaU+Bd9bQMa2mmvmI7pOFMxCCvprY5fDaRY1v8rKWRg12bD4kYM3npR37rWkk+Zdj+w+XgS
 oCW0gNT2yHDDMq7H6qYUjyvaG8l0vhWb44rzQLBFfQv/Lc3QI4jUu6e7TbQui3cw5Qn0E+yu
 4teV2fIVDbLB8wvRS/8AEQEAAcLBfAQYAQoAJgIbDBYhBL0nsHpe9Fwq2vcOBISBimgZr0qb
 BQJiy0j1BQkRRWU4AAoJEISBimgZr0qbjUwQAL+qByV+VpVmD3Guqym9uUX/gUmLdLar7ZrM
 Nr3RnDo/N0Dl2IZpm+eoNGlnBh2+q6bcZUWWoEtbOoy6XrlPnx3Cf+Bg4bFDNN4ibIQkYV2z
 cU9E1AWadCKUm1Z2eDqjc5TlLZiyUGQUh4kAW2Z3gFe1ffhyKarVExfTSxwE1ec5Q9cy6T29
 iO3QjAD3v7R9EXZJIn/RRbsaWQSQLz+DVDZxjy2XcmTGLS3HMIqdYFHYAxUx7HLbCAhfIyD0
 TDsMOutl3B2PWENYWmhO6E+USSwPokx461ePqcYG5haqnoUcXGQ2SGtLaoQ2iKGvGAe17xpQ
 yHK7NGSPWOEmYSJ1bRFJYKoe8+jtesoEY335hyQRn7RbMvTslVUvtVjRYu4FXOwPXT3NLbj8
 v+in+Njm1UfuWvOZS695wepBGvDtMM3Ze+ZRB3S7zmo1/eKol1cQQ/abYlX+7TrUbxcQ+bAQ
 b8PeDaL4sAH77fE6m+3jsMb1CFbN3+LcaUxGV7ysh7kVYVqwhiRqnmF0E3I9z3nyZ9HQgwHt
 1jmoa4lMiRDnkkOFdhoJ3vqmxHKW9XtxrUJlLQfTejUSooLFjNe6tvXgrTvrosGTpDZIIT0/
 8qKt4Nxg06u0jmnXMbbWwoPNWl9PfcPtNhjaycocCzfog5LI8N7HbRy+jHmArWAywaZVLrLe
In-Reply-To: <86h6kpaty4.fsf@gentoo.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Archives-Salt: b8f25a79-68c0-4f36-b626-bdc56dba0244
X-Archives-Hash: 0a3dba5c5146c02e4bd4919fdad26636

On 12/11/23 5:47 AM, Arsen Arsenović wrote:
> hi,
> 
> it seems that codeberg has changed how they produce their archives on
> URLs like <https://codeberg.org/dnkl/foot/archive/${tag}.tar.gz> leading
> to digest failures like <https://bugs.gentoo.org/919135>, as implied by
> the following checks:
> 
>   ~$ diff <(<dls/foot-1.16.2.tar.gz gzip -d) <(</var/cache/distfiles/foot-1.16.2.tar.gz gzip -d)
>   ~$ diff <(<dls/foot-1.16.2.tar.gz cat) <(</var/cache/distfiles/foot-1.16.2.tar.gz cat)
>   Binary files /dev/fd/63 and /dev/fd/62 differ
> 
> the above shows that compressed content differs while decompressed
> content remains identical.
> 
> (dls/foot-1.16.2.tar.gz is downloaded from the master distfiles mirror,
> /var/cache/distfiles/foot-1.16.2.tar.gz is fetched from codeberg at
> around two in the morning last night)
> 
> you might want to regenerate manifests for projects fetching from
> /archive/ urls on codeberg.
> 
> Daniel, thank you for working on foot.  may I ask that you attach 'meson
> dist'-generated files to releases?  you could also use that opportunity
> to hash or sign them, if you so desire.
> 
> in either case, thank you again.
> 
> have a lovely day, all!


It sounds like they completely failed to get the memo about:
https://github.com/orgs/community/discussions/46034

However, I really do wish tremendously that they *would* change all
tarball checksums... for a good reason!

Namely, they need to fix https://github.com/go-gitea/gitea/issues/18078
because currently gitea-based software forges kind of suck and I'd
rather no one used them for anything, lol.

It does appear that since last year when they fixed an unrelated issue,
closed *this* issue as "not fixed but sometime in the future we'll fix
it, we pinky promise"...

... that they've fixed the issue for manually uploaded release assets
where the download url was based on an unpredictable uuid.

So that's sort of kind of a little bit good at least.



-- 
Eli Schwartz