checksums for source tarballs downloaded from github.com/.../.../archive can change over time

First reported by @schiotz at https://github.com/easybuilders/easybuild-easyconfigs/pull/4871#issuecomment-331072093, several other projects have been hit by this as well:

* https://github.com/google/protobuf/issues/3619
* https://github.com/bazelbuild/bazel/issues/3722
* https://github.com/tensorflow/tensorflow/issues/12979

Some more details in https://github.com/libgit2/libgit2/issues/4343#issuecomment-328631745

Long story short: we should try to avoid downloading from `github.com/.../.../archive` (and try to use `github.com/.../.../releases` (or another located where 'packaged' tarballs are available) instead, if at all possible.

If not, the alternatives I see are:

* doing a `git clone` on the tagged version and creating the tarball ourselves (directly using `tar`), which should always give the same tarball?
* not including any checksums if we need to download from `github.com/.../.../archive`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

checksums for source tarballs downloaded from github.com/.../.../archive can change over time #5151

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

checksums for source tarballs downloaded from github.com/.../.../archive can change over time #5151

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions