From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#28659: v0.13: guix pull fails; libgit2-0.26.0 and 0.25.1 content hashes fail Date: Sun, 1 Oct 2017 16:42:37 -0400 Message-ID: <20171001204237.GA11804@jasmine.lan> References: <877ewf18d4.fsf@gnu.org> <87wp4e8yk5.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34404) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dyl5q-00013Z-Cm for bug-guix@gnu.org; Sun, 01 Oct 2017 16:44:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dyl5m-0007ol-NP for bug-guix@gnu.org; Sun, 01 Oct 2017 16:44:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:34476) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dyl5m-0007oh-JG for bug-guix@gnu.org; Sun, 01 Oct 2017 16:44:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dyl5m-000602-98 for bug-guix@gnu.org; Sun, 01 Oct 2017 16:44:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87wp4e8yk5.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Jan Nieuwenhuizen Cc: 28659@debbugs.gnu.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 01, 2017 at 09:20:42PM +0200, Jan Nieuwenhuizen wrote: > Jan Nieuwenhuizen writes: >=20 > The changing of the libgit-0.26.0 checksum was already reported about 3 > weeks ago (github seems to only show relative dates) >=20 > https://github.com/libgit2/libgit2/issues/4343 >=20 > and the bug is still open. It seems to be a github thing. As I > understand it, currently our options are to update the hash and pray it > won't happen again or host libgit2 tarballs ourselves. I contacted GitHub about this issue a few weeks ago and they said that: 1) They do not guarantee bit-reproducibility of the snapshots they generate automatically for each release tag, and they wish that people would not rely on them as we do. However, since people *are* relying on them, they are discussing this issue internally. 2) This is the relevant code change: https://git.kernel.org/pub/scm/git/git.git/commit/?id=3D22f0dcd9634a818a0c8= 3f23ea1a48f2d620c0546 In the meantime, we can add this to the list of reasons that reproducibility is difficult in the long term. I don't have any solutions in mind besides keeping substitutes available for as long as possible and, for users, using substitutes. We might also petition upstream projects to offer a "real" release tarball. --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlnRUzkACgkQJkb6MLrK fwhr1xAA78npB7SsOoIdkY6pt3QabOHBLwUA7TuKWUphJgBMatzrRf463tO+t6/Z roQmwZKMJ+AvstOWn/EjYNC1W8ujtlkadsAIPUgDWctAun+rHbxM9DQfTowlgX+t DnblMcArv3BzRTaV5WQYmizBq6yUl9Tf3Su7/RWMUyfgrSkvBPR0ueNaq3hoqL7d DuWvYSk9d0VIar6SLi+BcCXRLEHWYx4u+HzP0n4tXMp2HUlZL/3MdaDXeOTv1Kiz mYf04jq2LlCXzYDZrFJeGrRJU94n/NOOjRZfxDmuDZQUMpOMP+3f3u9wHOigVQeP iKmjhgaxjc5nJPDzHBkIfsVg8z9jOr6VUG5/Xs/+1dO1k77ccCjN9NEQ/TPMfnWj WIQ/kyIAvEl4vVsPUlgn8WhrDZ0AcQGxmZz2XjHBIRlS6QGKEbdLtyx5V9JtRYLe 21iNf1KwDt2pce4YbaDyW+w8ilPLSUEKaP/2zQdBX5Svoaa1DwkXADsyoqBPXvUa QxVzLukpfdhSqvPUyBvshvQTv9ByUuNqYHyW70Kuxe2Z1Q0ARe90+6YuuE06/yLc bTA1mnVZt2ciK2omSVqsF+m7m8RIabPL8Ad+us0P6XfmhiYZMewd36yEbMf1+VC8 IjNGzB7Jo4wJ1BGLPglDndn3XXio8obB9iPNdQy4LyApM/2NYlE= =fiPX -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC--