On Thu, Feb 2, 2023 at 1:52 PM Erich Ritz via SlackBuilds-users < [email protected]> wrote:
> Hey everybody, this actually affected one of my submissions. It's a paid > article on LWN (I don't have a membership), but it links to a GitHub blog > post and there's enough in the first paragraph on LWN to describe the > problem: > > Git archive generation meets Hyrum's law > > On January 30, the GitHub blog carried a brief notice that the checksums > of archives (such as tarballs) generated by the site had just changed. > GitHub's engineers were seemingly unaware of the consequences of such a > change — consequences that were immediately evident to anybody familiar > with either packaging systems or Hyrum's law. Those checksums were widely > depended on by build systems, which immediately broke when the change went > live; the resulting impact of jawbones hitting the floor was observed by > seismographs worldwide. The change has been reverted for now, but it is > worth looking at how GitHub managed to casually break vast numbers of build > systems — and why this sort of change will almost certainly happen again. > > And the github blog post: > https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/ > > Action item for reviewers: MD5SUMs for source tarballs hosted on GitHub > that have been submitted this week need to be verified again (the change > that caused the problem has been reverted on GitHub's end). Those > submissions that were unlucky enough to use the "bad" MD5SUMs will be wrong > (like mine was). > Erich -- Thanks for the heads up. I am an LWN subscriber. Here is a 'sharable link' Git archive generation meets Hyrum's law <https://lwn.net/SubscriberLink/921787/c51540263d76877b/> -- kjh
_______________________________________________ SlackBuilds-users mailing list [email protected] https://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users Archives - https://lists.slackbuilds.org/pipermail/slackbuilds-users/ FAQ - https://slackbuilds.org/faq/
