releasing proper tarballs #1891
Comments
|
E.g. the current release tarball has md5 |
|
That's how a releases page of a project with custom tarballs looks like: |
|
From my (admittedly limited) understanding the hashes would only change when github applies some git patch that affects hash generation. (Homebrew/homebrew-core#18044). (At least as far as I am aware there is nothing in OpenBLAS that actively modifies file content at or after release time to write e.g. a hash or date to one of the source files on the release branch). I am not aware that the OpenBLAS pages specify a particular hash for any version of the autogenerated tarballs either. |
|
Certainly, as openblas is not autoconf-based, the urgency of having custom
tarballs (that run without autotools installed) is not there.
However, the GitHub tarball naming is not convenient for automation, as I
already said, and relying on sourceforge for tarballs does not seem like a
good idea (they want to show you ads, and make their URL atrocious...)
You might still consider generating a custom tarball which is compressed
with bzip2 or xz. Please...
…On Thu, 29 Nov 2018 20:40 Martin Kroeker ***@***.*** wrote:
From my (admittedly limited) understanding the hashes would only change
when github applies some git patch that affects hash generation. (
Homebrew/homebrew-core#18044
<Homebrew/homebrew-core#18044>). (At least as
far as I am aware there is nothing in OpenBLAS that actively modifies file
content at or after release time to write e.g. a hash or date to one of the
source files on the release branch). I am not aware that the OpenBLAS pages
specify a particular hash for any version of the autogenerated tarballs
either.
Having one custom and one automatic tarball will practically identical
content but different hashes
on the release page does not look that good to me either.
Perhaps what you could do is download from the sourceforge archive that
automagically receives a copy of both zip and tarball through some
scripting beyond my control, which I expect will not re-run
whenever github changes anything in the background.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1891 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABN8HCTvA4AvIVWCo9MGtkVBa9eUMRzWks5u0EZZgaJpZM4Y6XIy>
.
|
|
wget does not show ads |
|
SF used to change URLs to prevent you from wgetting things
…On Thu, 29 Nov 2018 20:56 Andrew ***@***.*** wrote:
wget does not show ads
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1891 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABN8HDGo_BZ5iDm1huzFbKwsA2p8AVbSks5u0EoRgaJpZM4Y6XIy>
.
|
|
They claim not since 2011 |
Great, and how on Earth can one say it's not a hacked tarball, without actually untarring and diffing against your git repo, as it now has a different md5 from your supposedly canonical tarball? Do you see now why it's desirable to have a canonical tarball? |
|
If you are going to be paranoid about archive integrity, perhaps you should look into distributing a "verified" copy of OpenBLAS with your project ? If you assume either the OpenBLAS project account or github itself could get hacked, I do not see how any checksum posted with an archive there could be expected to remain trustworthy. |
|
We trust you with integrity of your repo and releases you make. But we need
means to check that tarballs you cut don't get corrupted in transmission
(or worse). And this does not work with the present scheme, as we have no
quick means to distinguish between the harmless github-induced changes of
hashes and ones we need to worry about.
…On Fri, 30 Nov 2018 07:01 Martin Kroeker ***@***.*** wrote:
If you are going to be paranoid about archive integrity, perhaps you
should look into distributing a "verified" copy of OpenBLAS with your
project ? If you assume either the OpenBLAS project account or github
itself could get hacked, I do not see how any checksum posted with an
archive there could be expected to remain trustworthy.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1891 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABN8HDyCCy9JezOfX5cLVbaH7bXCN9teks5u0NfPgaJpZM4Y6XIy>
.
|
|
@dimpase you can use other checksum that is not suspectible to collision attack, which is not applicable to compresed files anyway, it is applicable to altering whitespace to compensate for changing some text. Indeed you are free to diff against source tree used. It is not the first time github changes compression, since then all download links go to sf.net to avoid scaring people. If you have chance you can host distribution file properly with multiple checksums, re-compressed with zopfli (-10%) bzip2 (-50%) xz (-70% size) or .pax.Z (+80%) , we certainly do not modify those files after release. |
we are using a combination of md5, sha1, and a custom crc32-based checksum to ensure authenticity of tarballs (and we mirror them once a release is made). But we need to start somewhere, and a tarball that is changing over time is a non-starter. I reckon that out of dozens github-released packages we use, openblas is the only one that only does the default GitHub fluid tarballs as their releases.
You are sending me to a resource you don't control as the primary source for your releases. This looks quite fragile and potentially error-prone to me. |
|
sourceforge does not change file contents behind same names. |
uploading to github a custom tarball,in addition to making a github release, takes about 30 seconds of the |
|
You will have to change download link to get stable file either way. |
Sorry, I don't follow you here. Open releases tab, select a release, click on Edit in the right top corner. You'll see a prompt saying "Attach binaries by dropping them there or selecting them". Upload the tarball you created, click "Update release", done. Now you have sane URL, wgettable etc., to use for the tarball, not messed up by GitHub. |
Yeah, we've gotten no reports of checksum mismatches for OpenBLAS. Though I should note that Julia source builds keep the OpenBLAS tarball in the build tree so it doesn't have to be re-downloaded and checksummed, so the only time someone could encounter a checksum mismatch is when doing a fully clean build, like from a fresh clone or after |
|
@ararslan - could be that Julia did the bump-up to the new openblas at the moment when the hash change has already happened (it's not very frequent)? |
|
Apparently I raised the OpenBLAS version Julia uses on 30 October (JuliaLang/julia#29845). I don't know when the hash changed, but the MD5 for the version used by is |
|
@ararslan the problem is that github sometimes changes compression trimming few bytes from resulting files (still 10% bigger than with zopfli), thats why release links go to sf.net (thats in bottom of notes) while the top 2 items above notes will nibble behind the interface. |
|
closing as I remembered to upload md5sum'd copies for the last three releases now |
The current automatically made by GitHub release tarballs are not stable; they actually change (a bit) with the changes in the repo. (and so md5 hashes change, breaking various systems that use such hashes for consistency checks). However, there is always a possibility to upload a custom made release tarball, which would be also properly named, so that
wgeting it would not need subsequent renaming, one can get better compression (bz2/xz, etc).It would be great to have them, it's only a minor hassle for the release manager (click on Edit release, upload the tarball).
The text was updated successfully, but these errors were encountered: