If the problem is that packaging is not deterministic... what if we run the hash check on the unpacked files instead of the tarball?
El lunes, 12 de enero de 2015, 11:59:53 (UTC+1), Thierry (sage-googlesucks@xxx) escribió: > > Hi, > > it is advised to distribute unmodified upstream tarball at much as > possible, so that the end-user should be able to check that the tarball > shipped by Sage has the same hash that upstreams. However, when size can > be reduced by a huge factor, integrity arguments become pretty weak and we > randomly upload hand-modified tarballs on tickets without a clear checking > process during the review process. > > In some cases, one possibility is to discuss with upstream to ship both > full and trimmed sources (which will benefit to other downstream, e.g. for > mathjax that can be considerably reduced while keeping all features). > > Another mid-term compromise could be to strip some few upstream source, > but in a checkable and reproducible manner, that is, with a spkg-src > script that will produce deterministic tarballs, so that anyone (in > particular the reviewer) can re-run the script and check the hashsums. By > default, tarballs are quite volatile because of timestamps and ownership, > also the file ordering seems to depend on the computer, the posix format > is nondeterministic, and i may have missed some other subtleties. > > In order to try such possibility on the next matplotlib update, could some > people (especially someone using OSX) give me (with minimal info on their > OS, arch, and tar --version) the result of: > > wget > https://downloads.sourceforge.net/project/matplotlib/matplotlib/matplotlib-1.4.2/matplotlib-1.4.2.tar.gz > > tar xf matplotlib-1.4.2.tar.gz > rm -rf matplotlib-1.4.2/lib/matplotlib/tests/baseline_images/* > find matplotlib-1.4.2 | sort | tar --no-recursion -cj --format=gnu > --mtime='1970-01-01 01:00' --group=0 --owner=0 -f matplotlib-1.4.2.tar.bz2 > -T - > shasum matplotlib-1.4.2.tar.bz2 > > Thanks, > Thierry > > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
