Hi Shengfa,
On Thu, 07 Jan, 2021 at 08:56:57 -0800, 'Shengfa Lin' via ChromeDriver Users wrote:
> The release script simply upload and overwrite the binaries for Windows,
> Linux and Mac which we thought would be safe to do.
yes, for normal users this should be safe to do (and to be honest Linux
distributions that care about reproducibility should build it from
source anyway). However, IMO it would be best to never modify uploaded
releases and instead release a new version (patch release).
> I did notice yesterday that only the hash of Linux binary changes but not
> the Windows and Mac.
> Is that what you have observed as well?
Yes, we don't fetch the Windows archive but the content/hash of the Mac
archive didn't change.
> I can look into why the hash for Linux changes when it's regenerated.
Thanks!
> Besides from the hash, does the change of update timestamp has an impact on
> your workflow?
No, but unfortunately in our case the hash change is enough to break the
package build. If the fetched source doesn't match the expected hash it
is rejected and the "build" fails (this is done to ensure
reproducibility and as an additional measure to prevent MITM attacks).
This should apply to most other Linux distributions as well (if they
don't build from source). E.g. here's a comment on the AUR package:
https://aur.archlinux.org/packages/chromedriver/#comment-784931
Not modifying uploaded archives also helps with trust and caching. E.g.
if the content/hash changes it is not immediately clear what has changed
and why (it could e.g. be a MITM attack, a targeted attack (serving a
different archive to certain users), or a hijacked web server).
For that reason alone it is IMO very important to never modify already
uploaded/published releases.
> We would like to evaluate if we can do the overwrite release in the future.
This is of course your decision but if I may ask is there any advantage
of overwriting releases instead of making a new patch release?
The potential advantages I could think of:
- It saves storage on the hosting service
- But I'm not sure if that's a concern/issue for you
- If users that have already downloaded the old archive shouldn't have
to download the new/modified one
- But then the question is if the new archive/upload is really
required in the first place
Kind regards,
Michael