Downloading zlib tarballs from github release page.#2731
Closed
weijianwen wants to merge 1 commit intospack:developfrom
SJTU-HPC:zlib-github
Closed
Downloading zlib tarballs from github release page.#2731weijianwen wants to merge 1 commit intospack:developfrom SJTU-HPC:zlib-github
weijianwen wants to merge 1 commit intospack:developfrom
SJTU-HPC:zlib-github
Conversation
citibeth
suggested changes
Jan 4, 2017
Member
citibeth
left a comment
citibeth
left a comment
There was a problem hiding this comment.
This PR needs to be rejected because it changes hashes.
Member
|
@citibeth needs to seems a bit to hard to me. I understand the concerns on security, but given the number of stars the repository has, I would consider it pretty safe. If we really want to dig to the bottom of it, we can compare the sources to see where are the differences for a given version. |
Member
|
@citibeth: the hash changes here are because github auto-generates its tarballs. I've seen this issue with other repos before -- github releases often have different hashes from whatever is posted on a project's webpage. I do think the link @citibeth posted in #2732 is a better way to do his, though. @weijianwen: do you want to take that change on? Sorry for all the confusion. |
Contributor
Author
|
@tgamblin Rahter than SourceForge or other places, I think both http://zlib.net/fossils/ and github release pages are sound places to host the tarballs -- |
Member
|
@citibeth <https://github.com/citibeth>: the hash changes here are
because github auto-generates its tarballs. I've seen this issue with other
repos before -- github releases often have different hashes from whatever
is posted on a project's webpage.
Yes, that is not unexpected. For Autotools-based packages, the `configure`
script is often not available when downloading directly from GitHub.
BUT... I still firmly believe that if hashes change, we need to verify the
change. Otherwise, the hashes aren't worth a hill of beans.
In this case, someone would need to download the new and the old tarballs,
unpack them and diff them. Then we use our judgement.
It's a lot easier if we don't change hashes, then nobody has to spend time
on this.
…On Wed, Jan 4, 2017 at 9:29 AM, Todd Gamblin ***@***.***> wrote:
@citibeth <https://github.com/citibeth>: the hash changes here are
because github auto-generates its tarballs. I've seen this issue with other
repos before -- github releases often have different hashes from whatever
is posted on a project's webpage.
I do think the link @citibeth <https://github.com/citibeth> posted in
#2732 <#2732> is a better way to do
his, though. @weijianwen <https://github.com/weijianwen>: do you want to
take that change on? Sorry for all the confusion.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2731 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB1cdwcY6saBbxpmCLqnoXqUYcZBOjPKks5rO6zngaJpZM4LaaFx>
.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix donwloading failures due to invalid zlib tarball URL discussed in #2730 .