abseil-cpp icon indicating copy to clipboard operation
abseil-cpp copied to clipboard
Published 2 months ago verified publisher icon abseil

Checksum of release archive has changed

Open jpakkane opened this issue 3 years ago • 6 comments

Describe the issue

This was originally reported as a Meson WrapDB issue.

Basically downloading the release archive via this link reports a different checksum now that it used to.

The checksum used to be 4208129b49006089ba1d6710845a45e31c59b0ab6bff9e5788a87f55c5abd602.

Now it is 46c6aaccd6808dbbe53dbc499b99fc2d736b64edca295ded2e82ab3da2915e6c.

Manually downloading the archive and computing the checksum gives the latter. However it definitely has been the former at some point, as our CI system is gated on successfully downloading and verifying the values.

Steps to reproduce the problem

Download and run sha256sum on the file by hand.

What version of Abseil are you using?

20220623.0

What operating system and version are you using?

Ubuntu 22/10

What compiler and version are you using?

Not relevant.

What build system are you using?

Not relevant.

Additional context

No response

jpakkane avatar Jan 30 '23 21:01 jpakkane

The same issue was reported to GoogleTest. I'm copying my response here:

It wasn't changed by us. This issue is actually a good example of Hyrum's Law.

https://github.com/spack/spack/issues/5411 is another report of this:

Short story: GitHub has changed the way they generate their release "archives". They're generated dynamically so many checksums have changed for github.com/.../archive/ URLs. Looks like we may have to download all these tarballs and re-checksum them.

You can imagine, for example, that GitHub decided to change the compression level of the archives. This would change the checksum. The archives would still have the same contents, but the compressed bytes returned would not be the same.

derekmauro avatar Jan 30 '23 22:01 derekmauro

I think this issue should be reopened because changing checksum of release tarball is not acceptable. You should not rely on GitHub generated tarballs, but upload your own when doing a release.

xclaesse avatar Jan 30 '23 22:01 xclaesse

That's a fair point. It would be nice if GitHub had a button to do this automatically. Something like "this is a release, please save the tarball".

derekmauro avatar Jan 30 '23 22:01 derekmauro

I don't think there is a button for it but there is a fairly simple webui-based workflow:

  1. Create your release by tagging as usual.

  2. Download the Github autogenerated tarball with a browser (it does not matter whether you choose zip or tar as the format, either one is fine).

  3. Rename the v1.0.0.tar.gz file to abseil-something-something-1.0.0.tar.gz.

  4. Go to the project tags page, click on "create a new release from tag".

  5. Upload the file from step 3 as a release file.

jpakkane avatar Jan 30 '23 22:01 jpakkane

That can be scripted, WrapDB does it: https://github.com/mesonbuild/wrapdb/blob/master/tools/create_release.py#L118

xclaesse avatar Jan 30 '23 22:01 xclaesse

But it seems GitHub is going to revert this change: https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1409438954

xclaesse avatar Jan 30 '23 22:01 xclaesse