sha256 of release 2.1.5 changed

Hi.

I am one of the Homebrew-Linuxbrew package manager maintainers.
The sha256 of the 2.1.5 release has changed between the initial release and the current archive that can be downloaded now:
Expected: 6a5d8aaf3ffe22ef63dcee36da34fa448b70a3453f8cae30fd8e05c59751f8b4
Actual: 2f3de90a09bba6d24c89258be016fd6992886bda13dbbcaf03de58c765774845

What are the differences between the two archives? Was there some re-packaging done, or did somebody fiddle with your server and hijacked it?

Related discussions:
https://github.com/Homebrew/homebrew-core/pull/20372
https://github.com/Linuxbrew/homebrew-core/pull/4899

Ping @David_Tschumperle

I had this with a prior version of gmic too, since I believe David uploads each version by hand.

Sometimes @David_Tschumperle pushes the pre version when it is stable enough. When I downloaded 2.1.5 yesterday, I actually got 2.1.6pre. Edit: The archive was under a new name, except that it would have been clearer if the link’s name had changed along with it.

never ever change the content of a tarball. EVER!

upload it under a new name

Also, never ever change the git tag.

Amen.

version numbers are cheap. use them.

No server hijack detected so far.
It happens I’m posting two successive versions of the .tar.gz in the same day after I’ve discovered a small malfunction in the code or a mistake in the webpage.
That could explain that.

I got the 2.1.6pre version too. Haven’t seen any issues though.

So this means there was a 2.1.5 release, and then the same release was re-release with a different content? That is really confusing. At least from a user perspective. Ideally a 2.1.5.1 release should have been made.

We will re-release 2.1.5 with the new tar.gz then …

Please. Really do not do that. as @iMichka said just make it 2.1.6 or if you have to 2.1.5.1. Released tarballs should be treated like immutable.