[Slackbuilds-users] GitHub MD5SUMs not reliabe around Jan 30th
erich.public at protonmail.com
Thu Feb 2 19:52:35 UTC 2023
Hey everybody, this actually affected one of my submissions. It's a paid article on LWN (I don't have a membership), but it links to a GitHub blog post and there's enough in the first paragraph on LWN to describe the problem:
Git archive generation meets Hyrum's law
On January 30, the GitHub blog carried a brief notice that the checksums of archives (such as tarballs) generated by the site had just changed. GitHub's engineers were seemingly unaware of the consequences of such a change — consequences that were immediately evident to anybody familiar with either packaging systems or Hyrum's law. Those checksums were widely depended on by build systems, which immediately broke when the change went live; the resulting impact of jawbones hitting the floor was observed by seismographs worldwide. The change has been reverted for now, but it is worth looking at how GitHub managed to casually break vast numbers of build systems — and why this sort of change will almost certainly happen again.
And the github blog post:
Action item for reviewers: MD5SUMs for source tarballs hosted on GitHub that have been submitted this week need to be verified again (the change that caused the problem has been reverted on GitHub's end). Those submissions that were unlucky enough to use the "bad" MD5SUMs will be wrong (like mine was).
More information about the SlackBuilds-users