homebrew-core icon indicating copy to clipboard operation
homebrew-core copied to clipboard

Published 20 hours ago verified publisher icon Homebrew

tkey-ssh-agent: update artifact url and checksum

Open chenrui333 opened this issue 1 year ago • 8 comments

  • [ ] Have you followed the guidelines for contributing?
  • [ ] Have you ensured that your commits follow the commit style guide?
  • [ ] Have you checked that there aren't other open pull requests for the same formula update/change?
  • [ ] Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
  • [ ] Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
  • [ ] Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

found in #162713

chenrui333 avatar Feb 14 '24 22:02 chenrui333

This should also change dependancy from "go" to "[email protected]" once

  • https://github.com/Homebrew/homebrew-core/pull/162713

is merged

stefanb avatar Feb 15 '24 05:02 stefanb

This should also change dependancy from "go" to "[email protected]" once

* [[email protected] 1.21.7 (new formula) #162713](https://github.com/Homebrew/homebrew-core/pull/162713)

is merged

If I'm not mistaken, I think it should be built with [email protected]. It relates to this issue, which is fixed upstreams but not yet released. So to close this PR that is the easiest fix. We do intend to make the release fixing the build issue with go above 1.20, but that will happen in about 2 weeks from now.

dehanj avatar Feb 15 '24 21:02 dehanj

@chenrui333, can you update the build dependency from "go" to "[email protected]"? Would appreciate it. Should fix the build issue so this PR can go through.

dehanj avatar Feb 16 '24 21:02 dehanj

@dehanj we are waiting for confirmation from upstream that the changed checksum is legitimate.

bevanjkay avatar Feb 16 '24 21:02 bevanjkay

@bevanjkay I think it is legitimate. See my comment here.

dehanj avatar Feb 16 '24 22:02 dehanj

Unfortunately what we "think" is generally not enough in these instances. We need official confirmation from upstream

bevanjkay avatar Feb 16 '24 23:02 bevanjkay

@chenrui333, can you update the build dependency from "go" to "[email protected]"? Would appreciate it.

we actually deprecated [email protected] recently, meaning we cannot use it as build dependencies anymore

chenrui333 avatar Feb 17 '24 20:02 chenrui333

we actually deprecated [email protected] recently, meaning we cannot use it as build dependencies anymore

Ah, I see. Then this will have to wait until we release in about 2 weeks. It would obviously produce a new checksum for that release, but I will try to dig a bit more until then to see if we can get a better explanation for this change. The source in the tarball has not changed at least.

dehanj avatar Feb 18 '24 08:02 dehanj

@dehanj is the upstream maintainer and confirm the latest checksum, my idea is maybe we can upload the tarball into the github asset rather than use github's source archive tarball for the sake of the tarball stability.

chenrui333 avatar Mar 02 '24 16:03 chenrui333

If uploading our own release tarball is the recommendation from Homebrew, that is a solution. Is that the general recommendation from Homebrew? I guess it has to be seen Github does not offer checksum stability on the tarballs (even if they should seldomly change).

Unfortunately, we still have the issue that our latest release only supports Go 1.20 and below, and it has been deprecated. The fix is merged upstream, but we have some other changes the we absolutely need to include in our next release, it is our priority, but It is not finished yet. Sorry for the wait.

dehanj avatar Mar 02 '24 20:03 dehanj

In this case I think the tarball checksum could be a result of the repository rename because the repository name is encoded in the tarball:

$ curl -Ls https://github.com/tillitis/tillitis-key1-apps/archive/refs/tags/v0.0.6.tar.gz | tar zt | head
tkey-ssh-agent-0.0.6/
tkey-ssh-agent-0.0.6/.clang-format
tkey-ssh-agent-0.0.6/.editorconfig
tkey-ssh-agent-0.0.6/.github/
tkey-ssh-agent-0.0.6/.github/workflows/
tkey-ssh-agent-0.0.6/.github/workflows/ci.yaml
tkey-ssh-agent-0.0.6/.gitignore
tkey-ssh-agent-0.0.6/.golangci.yml
tkey-ssh-agent-0.0.6/LICENSE
tkey-ssh-agent-0.0.6/Makefile

I guess it has to be seen Github does not offer checksum stability on the tarballs (even if they should seldomly change).

There was an incident last year changing the checksum of all Git archives. The change was reverted shortly after, but the recommendation from GitHub is that release assets are preferred over Git archives if checksum stability is a requirement.

However, most of the checksum mismatches we see are a result of re-tagging. So, if you don't go against Git's recommendation and re-tag your releases (or frequently rename the repository which I don't think you will :) ), then it should be fine.

ZhongRuoyu avatar Mar 03 '24 01:03 ZhongRuoyu

:robot: An automated task has requested bottles to be published to this PR.

github-actions[bot] avatar Mar 03 '24 03:03 github-actions[bot]

In this case I think the tarball checksum could be a result of the repository rename because the repository name is encoded in the tarball:

Thanks, the renaming seems to be the root cause.

However, most of the checksum mismatches we see are a result of re-tagging. So, if you don't go against Git's recommendation and re-tag your releases (or frequently rename the repository which I don't think you will :) ), then it should be fine.

Makes sense! Then I think it should be fine.

dehanj avatar Mar 11 '24 20:03 dehanj