[opam-devel] Stable archive checksums

Anil Madhavapeddy anil at recoil.org
Thu Jun 26 20:37:26 BST 2014


GitHub archives are stable in my experience except under one notable change: if you do a repo transfer to another organization, the redirect from the old one points to releases with a new checksum.  This is a fairly rare event, but it's worth keeping in mind.

Markus, have you spotted other cases where checksums change?

-anil

On 26 Jun 2014, at 20:33, Ashish Agarwal <agarwal1975 at gmail.com> wrote:

> A quick grep through the current 2,383 url files gives me 970 that are pointing to github.com. Of that, 810 have "/archive/" in the url, which I believe indicates that they are pointing to the tarballs automatically generated for a commit. Doesn't this indicate a potential big problem if github changes the way they generate tarballs. All of these checksums will fail.
> 
> Only 10 of the 970 have "/releases/" in their url, which I think indicates a fixed binary file.
> 
> 
> 
> On Thu, Jun 26, 2014 at 3:22 PM, Anil Madhavapeddy <anil at recoil.org> wrote:
> On 26 Jun 2014, at 17:58, Markus Mottl <markus.mottl at gmail.com> wrote:
> 
> > Hi,
> >
> > since a lot of OPAM packagers are using Github, to which I'm
> > transitioning my projects, I just wondered how you are dealing with
> > the problem of downloading archives with stable checksums.
> >
> > The online information is rather confusing, but it is my impression
> > that there is no guarantee that downloading an archive from Github
> > will give you files with equivalent checksums.  Github apparently
> > doesn't support download pages with fixed files anymore unlike
> > Bitbucket, which I'm currently using.  AFAIK, Github cleans out
> > generated archive files if not downloaded again soon enough so there
> > is some chance that changes to e.g. git, tar, or gzip could screw up
> > archive checksums.
> >
> > Any suggestions on how to best interact with Github for downloading
> > stable packages via OPAM?
> 
> GitHub does support downloadable binary archives, but it's called
> "Releases".  See for example:
> 
> https://github.com/ocaml/opam/releases
> 
> for the binary uploads against a tag.
> 
> API is here:
> https://developer.github.com/v3/repos/releases/
> 
> My OCaml GitHub bindings have a little command line utility to upload stuff via the command-line (you can probably do the same with Curl as well).
> 
> ```
> opam install github
> git-upload-release --help
> ```
> 
> cheers,
> Anil
> _______________________________________________
> opam-devel mailing list
> opam-devel at lists.ocaml.org
> http://lists.ocaml.org/listinfo/opam-devel
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20140626/db3662e3/attachment.html>


More information about the opam-devel mailing list