Release tarballs changed
6 views
Skip to first unread message
Alyssa Ross
Mar 16, 2020, 3:01:54 PM3/16/20
to Ope...@opendap.org
Hello,
I work on the NixOS Linux distribution. Our libdap package broke
because the libdap-3.20.5.tar.gz file from your website was altered.
The diff is at the end of this message.
PLEASE DO NOT ALTER RELEASE TARBALLS.
It makes life extremely hard for downstream packagers. I'm sure we're
not the only distribution whose libdap package was broken by this. It
is a strong convention that these files do not change once they are
released. Packages are pinned using a hash of the tarball to make sure
a users system cannot be compromised if a website is hacked and starts
serving malware, etc.
Investigating broken hashes like this is extremely time consuming,
because one first has to track down the original tarball, which is not
always easy to do.
--- a/README
+++ b/README
@@ -1,9 +1,11 @@
Please find the libdap4 API documentation here: https://opendap.github.io/libdap4/html/
+[](https://doi.org/10.5281/zenodo.3641778)
+
Updated for version 3.20.5
Memory leaks. Minor bug fixes. Lots of work on CI.
Updated for version 3.20.4
Memory leak fixes and C++11 features
I work on the NixOS Linux distribution. Our libdap package broke
because the libdap-3.20.5.tar.gz file from your website was altered.
The diff is at the end of this message.
PLEASE DO NOT ALTER RELEASE TARBALLS.
It makes life extremely hard for downstream packagers. I'm sure we're
not the only distribution whose libdap package was broken by this. It
is a strong convention that these files do not change once they are
released. Packages are pinned using a hash of the tarball to make sure
a users system cannot be compromised if a website is hacked and starts
serving malware, etc.
Investigating broken hashes like this is extremely time consuming,
because one first has to track down the original tarball, which is not
always easy to do.
--- a/README
+++ b/README
@@ -1,9 +1,11 @@
Please find the libdap4 API documentation here: https://opendap.github.io/libdap4/html/
+[](https://doi.org/10.5281/zenodo.3641778)
+
Updated for version 3.20.5
Memory leaks. Minor bug fixes. Lots of work on CI.
Updated for version 3.20.4
Memory leak fixes and C++11 features
Reply all
Reply to author
Forward
0 new messages