On 12/11/23 5:47 AM, Arsen Arsenović wrote: > hi, > > it seems that codeberg has changed how they produce their archives on > URLs like <https://codeberg.org/dnkl/foot/archive/${tag}.tar.gz> leading > to digest failures like <https://bugs.gentoo.org/919135>, as implied by > the following checks: > > ~$ diff <(<dls/foot-1.16.2.tar.gz gzip -d) > <(</var/cache/distfiles/foot-1.16.2.tar.gz gzip -d) > ~$ diff <(<dls/foot-1.16.2.tar.gz cat) > <(</var/cache/distfiles/foot-1.16.2.tar.gz cat) > Binary files /dev/fd/63 and /dev/fd/62 differ > > the above shows that compressed content differs while decompressed > content remains identical. > > (dls/foot-1.16.2.tar.gz is downloaded from the master distfiles mirror, > /var/cache/distfiles/foot-1.16.2.tar.gz is fetched from codeberg at > around two in the morning last night) > > you might want to regenerate manifests for projects fetching from > /archive/ urls on codeberg. > > Daniel, thank you for working on foot. may I ask that you attach 'meson > dist'-generated files to releases? you could also use that opportunity > to hash or sign them, if you so desire. > > in either case, thank you again. > > have a lovely day, all!
It sounds like they completely failed to get the memo about: https://github.com/orgs/community/discussions/46034 However, I really do wish tremendously that they *would* change all tarball checksums... for a good reason! Namely, they need to fix https://github.com/go-gitea/gitea/issues/18078 because currently gitea-based software forges kind of suck and I'd rather no one used them for anything, lol. It does appear that since last year when they fixed an unrelated issue, closed *this* issue as "not fixed but sometime in the future we'll fix it, we pinky promise"... ... that they've fixed the issue for manually uploaded release assets where the download url was based on an unpredictable uuid. So that's sort of kind of a little bit good at least. -- Eli Schwartz