| 1 |
On 2020-08-04 19:36-0400 Rich Freeman <rich0@g.o> wrote: |
| 2 |
|
| 3 |
> On Tue, Aug 4, 2020 at 6:57 PM Alexey Mishustin <shumkar@×××××××.ru> |
| 4 |
> wrote: |
| 5 |
> > |
| 6 |
> > вс, 2 авг. 2020 г. в 13:52, Ramon Fischer |
| 7 |
> > <Ramon_Fischer@×××××××.de>: |
| 8 |
> > > |
| 9 |
> > > I decided to use "EGIT_COMMIT" to let the ebuild pulling a |
| 10 |
> > > certain commit. |
| 11 |
> > |
| 12 |
> > And even that would not give the sense of security... |
| 13 |
> > |
| 14 |
> > Just read in gentoo-dev [1]: |
| 15 |
> > ...unannounced serverside change by GitHub, which broke download of |
| 16 |
> > tarballs by git-tree-hash, e.g. previously https:// |
| 17 |
> > api.github.com/repos/JuliaLang/MbedTLS.jl/tarball/ |
| 18 |
> > 2d94286a9c2f52c63a16146bb86fd6cdfbf677c6 would give the tarball for |
| 19 |
> > that tree- hash, while it now gives the tarball for master instead. |
| 20 |
> > |
| 21 |
|
| 22 |
This seems to affect only api.github.com, packages in ::guru use |
| 23 |
https://github.com/<REPO>/archive/<COMMIT>.tar.gz instead, which is not |
| 24 |
affected (just checked with net-wireless/rtl8192eu-0_pre20200123). |
| 25 |
|
| 26 |
> I'm pretty sure EGIT_COMMIT will fetch by commit ID using git, not |
| 27 |
> download a hash-labeled tarball, so I don't think this issue would |
| 28 |
> impact you if that is how you're fetching things. |
| 29 |
|
| 30 |
Correct. |
| 31 |
|
| 32 |
> […] |
| 33 |
> Still, unless github fixes this we'll probably have to fix a bunch of |
| 34 |
> links in the repositories - at least any based on hashes. I'm not |
| 35 |
> sure if this impacts tags. The SRC_URIs are still invalid and we |
| 36 |
> don't want to maintain that state as new mirrors won't be able to |
| 37 |
> retrieve the file, and we generally want a valid SRC_URI for |
| 38 |
> everything. Devs can always just upload the tarball to any random |
| 39 |
> webserver and change the URI to point to it. My guess though is that |
| 40 |
> everybody will want to give this a few days to see if github fixes |
| 41 |
> their links. |
| 42 |
|
| 43 |
A quick grep indicated that the only packages in ::gentoo using |
| 44 |
api\.github\.com.*tarball are net-analyzer/tcpflow, dev-python/mypy, |
| 45 |
dev-lang/julia and app-forensics/dfxml. |
| 46 |
|
| 47 |
> Really this could happen with any web hosting service - github is just |
| 48 |
> a really prominent one. Back in the day if sourceforge suddenly went |
| 49 |
> down a whole bunch of SRC_URIs would have broken too. |
| 50 |
> |
Archives