Two mostly off-topic comments prompted by this paragraph:
> On 22 Feb 2016, at 16:41, David Allsopp <dra-n...@metastack.com> wrote:
>
> On this string of PRs, I’m wondering if you’re treating the symptom, and not
> the cause. Each PR so far is to do with an altered checksum from a code
> service’s binary release system which suggests that they’re not canonical
> (i.e. that they’ve changed the zip in what should be a trivial manner – e.g.
> putting the files in a different order). Rather than fixing the checksums,
> and causing this to happen again at the whim of a zip library, would it not
> be better to put in place a policy that zip links should not be to
> GitHub/BitBucket/Whatever auto-generating URLs but to actual static files
> (e.g. on github.io)?
1. It is surprisingly difficult to deterministically produce archives using
common archiving tools. One of the “simplest” way to achieve this is
find “${DIRECTORY}" -name '.git' -prune -o -type f -print\
| sort\
| cpio -o -a --format=ustar\
> “${ARCHIVE}”
Using widely available compression algorithms will break determinism
(gz, bz2, xz) maybe because of multi-threading or a randomization
strategy used to avoid worst-case distribution scenarios. This is
mostly specualtive, as I did not any effort to check this. :)
2. The build system bsdowl I write and use for my OCaml packages supports
production of GPG-signed archives with `make dist` see
for instance https://github.com/michipili/lemonade for a short
example.
Best regards,
Michael
_______________________________________________
opam-devel mailing list
opam-devel@lists.ocaml.org
http://lists.ocaml.org/listinfo/opam-devel
