[Dev] FWD: [openbsd-ports] Porters, please read re GitHub auto-generated tarballs vs releases

Luke Shumaker lukeshu at lukeshu.com
Fri Mar 2 21:18:01 GMT 2018

On 2018-02-27 at 12:28:07
Stuart Henderson wrote:
> Many ports are using github's on-the-fly generated source-code tarballs
> via the GH_ variables in Makefiles.
> These are *not* guaranteed to be stable, they can change as github
> update software and caches expire (this has happened at some point over
> the last few months so we have been seeing a number of hash failures
> recently). Due to local caches at the github clusters, these files
> can be different depending on which cluster you're connecting to,
> so if you regenerate distinfo to match the file which you see
> locally, it may cause breakage elsewhere in the world.

That's a bummer. Around 2011, the auto-generated tarballs were really
not stable; it would just about never give you the same file
twice. Since then (2014-ish, maybe?), they had changed their
implementation, and it it started consistently giving the same file,
to different parts of the world (ie, probably hitting different
clusters), for years.  I had assumed that meant GitHub had committed
to keeping them stable, and we started allowing them in Parabola.

It's a bummer that in the last few months they've apparently started
breaking that.

Though I wonder if that's intentional/allowed, or if it's really just
a bug in GitHub.

> :   "It is not meant to be reliable or a way to distribute software
> :   releases and nothing in the software stack is made to try to
> :   produce consistent archives."

I can't seem to find a source for that quote.

Happy hacking,
~ Luke Shumaker

More information about the Dev mailing list