| 1 |
On Tue, Aug 4, 2020 at 6:57 PM Alexey Mishustin <shumkar@×××××××.ru> wrote: |
| 2 |
> |
| 3 |
> вс, 2 авг. 2020 г. в 13:52, Ramon Fischer <Ramon_Fischer@×××××××.de>: |
| 4 |
> > |
| 5 |
> > I decided to use "EGIT_COMMIT" to let the ebuild pulling a certain commit. |
| 6 |
> |
| 7 |
> And even that would not give the sense of security... |
| 8 |
> |
| 9 |
> Just read in gentoo-dev [1]: |
| 10 |
> ...unannounced serverside change by GitHub, which broke download of |
| 11 |
> tarballs by git-tree-hash, e.g. previously https:// |
| 12 |
> api.github.com/repos/JuliaLang/MbedTLS.jl/tarball/ |
| 13 |
> 2d94286a9c2f52c63a16146bb86fd6cdfbf677c6 would give the tarball for |
| 14 |
> that tree- hash, while it now gives the tarball for master instead. |
| 15 |
> |
| 16 |
|
| 17 |
I'm pretty sure EGIT_COMMIT will fetch by commit ID using git, not |
| 18 |
download a hash-labeled tarball, so I don't think this issue would |
| 19 |
impact you if that is how you're fetching things. |
| 20 |
|
| 21 |
If you did use a hash tarball with SRC_URI and a conventional |
| 22 |
download, then emerge would still refuse to use the tarball if it |
| 23 |
failed the manifest hash check, so it wouldn't be installing anything |
| 24 |
you didn't want. |
| 25 |
|
| 26 |
Generally this isn't going to immediately break anything used by the |
| 27 |
Gentoo repo since 99% of this stuff will be mirrored, and the mirrors |
| 28 |
check hashes too. So, when github breaks the download link the |
| 29 |
mirrors will preserve their existing tarballs and refuse to replace |
| 30 |
them with new ones that don't have a matching hash (I'm talking about |
| 31 |
the actual hash of the file using multiple algorithms, not the hash in |
| 32 |
the filename). When you fetch from a mirror you'll still get the |
| 33 |
correct version of the file. If for some reason you can't reach any |
| 34 |
mirrors then you would download the broken link from github and then |
| 35 |
emerge would reject the file due to hash mismatch. |
| 36 |
|
| 37 |
Still, unless github fixes this we'll probably have to fix a bunch of |
| 38 |
links in the repositories - at least any based on hashes. I'm not |
| 39 |
sure if this impacts tags. The SRC_URIs are still invalid and we |
| 40 |
don't want to maintain that state as new mirrors won't be able to |
| 41 |
retrieve the file, and we generally want a valid SRC_URI for |
| 42 |
everything. Devs can always just upload the tarball to any random |
| 43 |
webserver and change the URI to point to it. My guess though is that |
| 44 |
everybody will want to give this a few days to see if github fixes |
| 45 |
their links. |
| 46 |
|
| 47 |
Really this could happen with any web hosting service - github is just |
| 48 |
a really prominent one. Back in the day if sourceforge suddenly went |
| 49 |
down a whole bunch of SRC_URIs would have broken too. |
| 50 |
|
| 51 |
-- |
| 52 |
Rich |
Archives