[
https://issues.apache.org/jira/browse/LIBCLOUD-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13846360#comment-13846360
]
Tomaz Muraus commented on LIBCLOUD-460:
---------------------------------------
I have uploaded a pristine archive to PyPi and the file check sums match now.
I have no idea how original issue came about, but to prevent similar issues
from happening again in the future, I wrote a little bash script which
downloads the release artifacts from the Apache and PyPi server and compares
the file check sums
(https://github.com/apache/libcloud/commit/3b1888733605ea8de7e1b25e3b4787837b1253ab).
I will work on automating the running of this script, but for now I will make
running it manually a mandatory part of the release process.
> checksum mismatch of ".tar.gz" tarball for version 0.13.2
> ----------------------------------------------------------
>
> Key: LIBCLOUD-460
> URL: https://issues.apache.org/jira/browse/LIBCLOUD-460
> Project: Libcloud
> Issue Type: Bug
> Components: Website
> Affects Versions: 0.13.2
> Environment: Building with Macports
> Reporter: Peter Danecek
> Labels: newbie, security
> Original Estimate: 10m
> Remaining Estimate: 10m
>
> I am trying to packages libcloud, and intended to use both sources of the
> package, ie. apache.org and PyPI. However, it seems that there is some
> mismatch with the .tar.gz. tarball is indeed different. The published
> checksums are different and indeed the corresponding packages have the
> respective checksum.
> However, I thing this should not really happen, at least as long the same
> name/version is used.
>
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
