[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checksum mismatch for 1.8 release
From: |
Tim Rice |
Subject: |
Re: Checksum mismatch for 1.8 release |
Date: |
Tue, 17 Jan 2023 21:03:46 +0000 |
Hi Sean,
Oops, I missed your message on 4 Jan. Thankfully it was just brought to my
attention. Sorry for the delay in getting back to you.
So, I apologize for the confusion regarding the last release, it was my bad. I
am new to GNU maintainership and it was my first release. I hope it's not too
surprising, then, that the process had some hiccups.
tl;dr No, the GNU Datamash sources have not been compromized :)
Post mortem:
1. When preparing the release, I had trouble with the automated packaging
tools. In particular, the NEWS hash was out of date. This led to errors when
attempting the automated release approach which would normally be followed.
2. I was able to fix things manually, but then forgot the '-z` flag to tar when
preparing the release tarball. Therefore the announcement which I sent out was
for some .tar.gz files which actually were not compressed.
3. Shortly after the announcement, someone let me know they were having an
issue with the packaging because of the error in (2). (Thanks again to that
person, they caught it quickly, which is why you see a gap of only a few hours
before new files were sent up.)
4. I repackaged the files with no change except to add compression in the
expected way.
5. Since everything was signed with my public key, it seemed unlikely that any
confusion could arise. Therefore I declined adding noise to the announcement
mailing list just to advise of what seemed to me like a negligible adjustment.
Adding compression without actually changing the contents did not seem
announcement-worthy.
Sorry again for any confusion, and thanks for your patience. Please let me know
if that clears things up for you or if there is something else I can do to help
make this right.
Kind regards,
Tim
On Wed, Jan 04, 2023 at 08:56:08AM +0000, sean wrote:
Hi Datamash maintainers,
I just tried to download datamash 1.8 and the checksum that was reported in the
release anouncement: https://savannah.gnu.org/forum/forum.php?forum_id=10212
Doesn't seem correct anymore and the upload is from hours after that
announcement. Has the download been compromised?
Regards,
Sean Molenaar
Homebrew maintainer