exiv2 icon indicating copy to clipboard operation
exiv2 copied to clipboard
verified publisher icon Exiv2

Missing source release archive for 0.28.1 and 0.28.2

Open diizzyy opened this issue 2 years ago • 8 comments

Please generate one as it could help packaging a lot and also because of https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/

diizzyy avatar Nov 07 '23 23:11 diizzyy

@kevinbackhouse Is it possible to have one uploaded to GitHub, especially due to https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/ ?

diizzyy avatar Feb 15 '24 03:02 diizzyy

Aren't these what you're looking for?

  • https://github.com/Exiv2/exiv2/releases/tag/v0.28.1
  • https://github.com/Exiv2/exiv2/releases/tag/v0.28.2

kevinbackhouse avatar Feb 19 '24 13:02 kevinbackhouse

Aren't these what you're looking for?

I think what he's saying is that one shouldn't rely on GitHub auto-generated tarballs as they can change, so any verification by hash is difficult/pointless long term...

kmilos avatar Feb 19 '24 13:02 kmilos

@kmilos Indeed, it makes packaging troublesome

diizzyy avatar Feb 19 '24 16:02 diizzyy

@diizzyy: I don't understand what you want me to do. Please could you give me very precise instructions? Then I will consider it.

kevinbackhouse avatar Feb 20 '24 10:02 kevinbackhouse

@kevinbackhouse @nehaljwani The request is for a manually generated source tarball that is then manually added to release assets, like it was done for all releases up to 0.28.0: https://github.com/Exiv2/exiv2/releases/tag/v0.28.0

See https://github.com/Exiv2/exiv2/blob/8414a98d01a59cc6eaca25711e51eba071fbc534/README.md?plain=1#L564

kmilos avatar Feb 20 '24 12:02 kmilos

I still don't understand what problem this would solve. If somebody is particularly concerned about verifying the authenticity of the code, surely they should get it from the git repository directly, rather than relying on a tarball that was uploaded manually? I put gpg-signed tags on v0.28.1 and v0.28.2 for that purpose. You can also download a tarball for an arbitrary commit like this: https://github.com/Exiv2/exiv2/archive/04207b9c39bf7b3b1a7144f7ed4e4f16b4f29ef6.zip

kevinbackhouse avatar Feb 20 '24 12:02 kevinbackhouse

I still don't understand what problem this would solve.

As linked above, the GitHub auto-generated source tarballs are not permanent (only cached for a year), so their hash can change.

Most distros use the tarball + hash in their packaging scripts so this is not a permanent solution. (One can argue that's not a good approach anyway, but that's besides the point here - there are way to many of them to force them to change straight away.)

https://gitlab.archlinux.org/archlinux/packaging/packages/exiv2/-/blob/main/.SRCINFO?ref_type=heads https://src.fedoraproject.org/rpms/exiv2/blob/rawhide/f/sources https://gitweb.gentoo.org/repo/gentoo.git/tree/media-gfx/exiv2/Manifest https://github.com/macports/macports-ports/blob/master/graphics/exiv2/Portfile

etc. etc.

kmilos avatar Feb 20 '24 12:02 kmilos