On Monday, 9 October 2017 at 18:56:13 UTC, Martin Nowak wrote:
On 10/07/2017 03:20 PM, Eugene Wissner wrote:
But please consider something different than github as alternative. GitHub doesn't guarantee that it always generates the same tarball for the same commit/release, so the checksum can change and the downloaded tarball looks corrupted, though it has absolutely the same content.

Ah good to know, indeed seems to be a problem for GH's archive endpoints? Would of course be a nogo for distro build receipts. https://github.com/libgit2/libgit2/issues/4343#issuecomment-328631745

I had this problem about two weeks ago.
As an example.. Slackware is a half-binary, half-source based Linux. The core system is provided as binary packages and the most users build other programs from slackbuilds.org which provides a huge collection of third-party packages as automated build scripts (but they don't keep the sources, only scripts that build a package from the source). There are also automation tools to compile all the dependencies if needed. It is slightly similar to how freebsd ports work. Such a tool has to verify that the downloaded source is not corrupted and it is done with md5. Actually I think that it can be a problem for many smaller linux distributions that are community-driven and not backed by commercial organizations and don't have the power to keep all sources themselves like debian does. GitHub breaks the archives very very seldom but if it happens it is very painful

Reply via email to