[Slackbuilds-users] GitHub MD5SUMs not reliabe around Jan 30th

[Konrad J Hambrick]

On Thu, Feb 2, 2023 at 1:52 PM Erich Ritz via SlackBuilds-users <
slackbuilds-users at slackbuilds.org> wrote:

> Hey everybody, this actually affected one of my submissions.  It's a paid
> article on LWN (I don't have a membership), but it links to a GitHub blog
> post and there's enough in the first paragraph on LWN to describe the
> problem:
>
> Git archive generation meets Hyrum's law
>
> On January 30, the GitHub blog carried a brief notice that the checksums
> of archives (such as tarballs) generated by the site had just changed.
> GitHub's engineers were seemingly unaware of the consequences of such a
> change — consequences that were immediately evident to anybody familiar
> with either packaging systems or Hyrum's law. Those checksums were widely
> depended on by build systems, which immediately broke when the change went
> live; the resulting impact of jawbones hitting the floor was observed by
> seismographs worldwide. The change has been reverted for now, but it is
> worth looking at how GitHub managed to casually break vast numbers of build
> systems — and why this sort of change will almost certainly happen again.
>
> And the github blog post:
> https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/
>
> Action item for reviewers: MD5SUMs for source tarballs hosted on GitHub
> that have been submitted this week need to be verified again (the change
> that caused the problem has been reverted on GitHub's end).  Those
> submissions that were unlucky enough to use the "bad" MD5SUMs will be wrong
> (like mine was).
>

Erich --

Thanks for the heads up.

I am an LWN subscriber.

Here is a 'sharable link' Git archive generation meets Hyrum's law
<https://lwn.net/SubscriberLink/921787/c51540263d76877b/>

-- kjh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20230203/ebcf0134/attachment-0001.htm>