sha256 of release 2.1.5 changed


#1

Hi.

I am one of the Homebrew-Linuxbrew package manager maintainers.
The sha256 of the 2.1.5 release has changed between the initial release and the current archive that can be downloaded now:
Expected: 6a5d8aaf3ffe22ef63dcee36da34fa448b70a3453f8cae30fd8e05c59751f8b4
Actual: 2f3de90a09bba6d24c89258be016fd6992886bda13dbbcaf03de58c765774845

What are the differences between the two archives? Was there some re-packaging done, or did somebody fiddle with your server and hijacked it?

Related discussions:



(Pat David) #2

Ping @David_Tschumperle


(Mica) #3

I had this with a prior version of gmic too, since I believe David uploads each version by hand.


#4

Sometimes @David_Tschumperle pushes the pre version when it is stable enough. When I downloaded 2.1.5 yesterday, I actually got 2.1.6pre. Edit: The archive was under a new name, except that it would have been clearer if the link’s name had changed along with it.


(darix) #5

never ever change the content of a tarball. EVER!

upload it under a new name


(Roman Lebedev) #7

Also, never ever change the git tag.


(darix) #8

Amen.

version numbers are cheap. use them.


(David Tschumperlé) #9

No server hijack detected so far.
It happens I’m posting two successive versions of the .tar.gz in the same day after I’ve discovered a small malfunction in the code or a mistake in the webpage.
That could explain that.


(Lyle Kroll) #10

I got the 2.1.6pre version too. Haven’t seen any issues though. :slight_smile:


#11

So this means there was a 2.1.5 release, and then the same release was re-release with a different content? That is really confusing. At least from a user perspective. Ideally a 2.1.5.1 release should have been made.

We will re-release 2.1.5 with the new tar.gz then …


(darix) #12

Please. Really do not do that. as @iMichka said just make it 2.1.6 or if you have to 2.1.5.1. Released tarballs should be treated like immutable.