1 |
On Tue, Aug 4, 2020 at 6:57 PM Alexey Mishustin <shumkar@×××××××.ru> wrote: |
2 |
> |
3 |
> вс, 2 авг. 2020 г. в 13:52, Ramon Fischer <Ramon_Fischer@×××××××.de>: |
4 |
> > |
5 |
> > I decided to use "EGIT_COMMIT" to let the ebuild pulling a certain commit. |
6 |
> |
7 |
> And even that would not give the sense of security... |
8 |
> |
9 |
> Just read in gentoo-dev [1]: |
10 |
> ...unannounced serverside change by GitHub, which broke download of |
11 |
> tarballs by git-tree-hash, e.g. previously https:// |
12 |
> api.github.com/repos/JuliaLang/MbedTLS.jl/tarball/ |
13 |
> 2d94286a9c2f52c63a16146bb86fd6cdfbf677c6 would give the tarball for |
14 |
> that tree- hash, while it now gives the tarball for master instead. |
15 |
> |
16 |
|
17 |
I'm pretty sure EGIT_COMMIT will fetch by commit ID using git, not |
18 |
download a hash-labeled tarball, so I don't think this issue would |
19 |
impact you if that is how you're fetching things. |
20 |
|
21 |
If you did use a hash tarball with SRC_URI and a conventional |
22 |
download, then emerge would still refuse to use the tarball if it |
23 |
failed the manifest hash check, so it wouldn't be installing anything |
24 |
you didn't want. |
25 |
|
26 |
Generally this isn't going to immediately break anything used by the |
27 |
Gentoo repo since 99% of this stuff will be mirrored, and the mirrors |
28 |
check hashes too. So, when github breaks the download link the |
29 |
mirrors will preserve their existing tarballs and refuse to replace |
30 |
them with new ones that don't have a matching hash (I'm talking about |
31 |
the actual hash of the file using multiple algorithms, not the hash in |
32 |
the filename). When you fetch from a mirror you'll still get the |
33 |
correct version of the file. If for some reason you can't reach any |
34 |
mirrors then you would download the broken link from github and then |
35 |
emerge would reject the file due to hash mismatch. |
36 |
|
37 |
Still, unless github fixes this we'll probably have to fix a bunch of |
38 |
links in the repositories - at least any based on hashes. I'm not |
39 |
sure if this impacts tags. The SRC_URIs are still invalid and we |
40 |
don't want to maintain that state as new mirrors won't be able to |
41 |
retrieve the file, and we generally want a valid SRC_URI for |
42 |
everything. Devs can always just upload the tarball to any random |
43 |
webserver and change the URI to point to it. My guess though is that |
44 |
everybody will want to give this a few days to see if github fixes |
45 |
their links. |
46 |
|
47 |
Really this could happen with any web hosting service - github is just |
48 |
a really prominent one. Back in the day if sourceforge suddenly went |
49 |
down a whole bunch of SRC_URIs would have broken too. |
50 |
|
51 |
-- |
52 |
Rich |