[Slackbuilds-users] GitHub MD5SUMs not reliabe around Jan 30th
Konrad J Hambrick
kjhambrick at gmail.com
Fri Feb 3 19:45:38 UTC 2023
On Thu, Feb 2, 2023 at 1:52 PM Erich Ritz via SlackBuilds-users <
slackbuilds-users at slackbuilds.org> wrote:
> Hey everybody, this actually affected one of my submissions. It's a paid
> article on LWN (I don't have a membership), but it links to a GitHub blog
> post and there's enough in the first paragraph on LWN to describe the
> Git archive generation meets Hyrum's law
> On January 30, the GitHub blog carried a brief notice that the checksums
> of archives (such as tarballs) generated by the site had just changed.
> GitHub's engineers were seemingly unaware of the consequences of such a
> change — consequences that were immediately evident to anybody familiar
> with either packaging systems or Hyrum's law. Those checksums were widely
> depended on by build systems, which immediately broke when the change went
> live; the resulting impact of jawbones hitting the floor was observed by
> seismographs worldwide. The change has been reverted for now, but it is
> worth looking at how GitHub managed to casually break vast numbers of build
> systems — and why this sort of change will almost certainly happen again.
> And the github blog post:
> Action item for reviewers: MD5SUMs for source tarballs hosted on GitHub
> that have been submitted this week need to be verified again (the change
> that caused the problem has been reverted on GitHub's end). Those
> submissions that were unlucky enough to use the "bad" MD5SUMs will be wrong
> (like mine was).
Thanks for the heads up.
I am an LWN subscriber.
Here is a 'sharable link' Git archive generation meets Hyrum's law
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the SlackBuilds-users