<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">GitHub archives are stable in my experience except under one notable change: if you do a repo transfer to another organization, the redirect from the old one points to releases with a new checksum. This is a fairly rare event, but it's worth keeping in mind.<div><br></div><div>Markus, have you spotted other cases where checksums change?</div><div><br></div><div>-anil</div><div><br><div><div><div>On 26 Jun 2014, at 20:33, Ashish Agarwal <<a href="mailto:agarwal1975@gmail.com">agarwal1975@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">A quick grep through the current 2,383 url files gives me 970 that are pointing to <a href="http://github.com/">github.com</a>. Of that, 810 have "/archive/" in the url, which I believe indicates that they are pointing to the tarballs automatically generated for a commit. Doesn't this indicate a potential big problem if github changes the way they generate tarballs. All of these checksums will fail.<div>
<br></div><div>Only 10 of the 970 have "/releases/" in their url, which I think indicates a fixed binary file.</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 26, 2014 at 3:22 PM, Anil Madhavapeddy <span dir="ltr"><<a href="mailto:anil@recoil.org" target="_blank">anil@recoil.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 26 Jun 2014, at 17:58, Markus Mottl <<a href="mailto:markus.mottl@gmail.com">markus.mottl@gmail.com</a>> wrote:<br>
<br>
> Hi,<br>
><br>
> since a lot of OPAM packagers are using Github, to which I'm<br>
> transitioning my projects, I just wondered how you are dealing with<br>
> the problem of downloading archives with stable checksums.<br>
><br>
> The online information is rather confusing, but it is my impression<br>
> that there is no guarantee that downloading an archive from Github<br>
> will give you files with equivalent checksums. Github apparently<br>
> doesn't support download pages with fixed files anymore unlike<br>
> Bitbucket, which I'm currently using. AFAIK, Github cleans out<br>
> generated archive files if not downloaded again soon enough so there<br>
> is some chance that changes to e.g. git, tar, or gzip could screw up<br>
> archive checksums.<br>
><br>
> Any suggestions on how to best interact with Github for downloading<br>
> stable packages via OPAM?<br>
<br>
</div>GitHub does support downloadable binary archives, but it's called<br>
"Releases". See for example:<br>
<br>
<a href="https://github.com/ocaml/opam/releases" target="_blank">https://github.com/ocaml/opam/releases</a><br>
<br>
for the binary uploads against a tag.<br>
<br>
API is here:<br>
<a href="https://developer.github.com/v3/repos/releases/" target="_blank">https://developer.github.com/v3/repos/releases/</a><br>
<br>
My OCaml GitHub bindings have a little command line utility to upload stuff via the command-line (you can probably do the same with Curl as well).<br>
<br>
```<br>
opam install github<br>
git-upload-release --help<br>
```<br>
<br>
cheers,<br>
Anil<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
opam-devel mailing list<br>
<a href="mailto:opam-devel@lists.ocaml.org">opam-devel@lists.ocaml.org</a><br>
<a href="http://lists.ocaml.org/listinfo/opam-devel" target="_blank">http://lists.ocaml.org/listinfo/opam-devel</a><br>
</div></div></blockquote></div><br></div>
</blockquote></div><br></div></div></body></html>