cppo icon indicating copy to clipboard operation
cppo copied to clipboard
verified publisher icon ocaml-community

Upload stable release tarballs instead of using github generated ones

Open NathanReb opened this issue 4 years ago • 5 comments

The latest cppo release uses the github generated tarballs which are known to be unstable as they get regenerated from time to time, making the upstream opam-repository hash obsolete.

It's now best practice to upload a tarball as a release asset to prevent this. There are tools that can help you create a stable tarball such as dune-release. If you had issues releasing cppo with dune-release I'm happy to help!

NathanReb avatar Oct 12 '21 08:10 NathanReb

I don't think this is correrct. The github generated tarballs are absolutely stable, and can be traced back to their origin mechanically. If we upload a tarball it becomes very difficult for someone to assure provenance, which is important in an era of supply chain attacks.

pmetzger avatar Oct 12 '21 13:10 pmetzger

This has been a known issue in the community for quite a while, hence, in part, the development of release tools.

It might be the case that github fixed that behaviour but I haven't heard of it. The opam-repository maintainers can probably confirm or invalidate. Cc @avsm @kit-ty-kate @mseri.

NathanReb avatar Oct 13 '21 07:10 NathanReb

It is not the norm that the tarballs change, but they do change, e.g. if a repository or its owner/organization is renamed on github, but it is not limited to this example. We have seen it happen already multiple times in the past, so I would not consider it reliable until github makes a promise/statement on it. The archives uploaded for the release instead are never modified, which is why for example dune-release re-uploads the release artifacts instead of linking the archive associated to a tag

mseri avatar Oct 13 '21 07:10 mseri

Indeed, the auto generated tarballs from GitHub don't change often, but they do occasionally change if the compression mode changes. e.g. https://github.com/Homebrew/homebrew-core/issues/18044

avsm avatar Oct 18 '21 10:10 avsm

Regardless, code provenance is important. I'd rather do a teeny version bump if something changes than use a tarball that doesn't come straight off the repo. For what it's worth, MacPorts, which maintains a really large number of packages off github, doesn't see problems with this very often. Indeed, I can't think of the last time it came up.

pmetzger avatar Oct 19 '21 20:10 pmetzger