[opam-devel] Stable archive checksums

Markus Mottl markus.mottl at gmail.com
Thu Jun 26 21:35:53 BST 2014

Thanks for pointing me to the GitHub OCaml-bindings, this is likely
going to be helpful for automating releases.

I ran into checksum problems with Mercurial a long time ago when using
version control tags to obtain archives on the fly, which is why I
want to avoid this issue with GitHub.

I think OPAM-contributors should be aware that tool upgrades at GitHub
(e.g. git, tar, gzip) could potentially break checksums across all
versions of all their packages, which would surely cause a lot of
headaches.  Using the "Releases"-feature on GitHub to upload fixed
tarballs may be the only reliable way around this.  It seems only 10
packages are getting this right as of now...


On Thu, Jun 26, 2014 at 3:37 PM, Anil Madhavapeddy <anil at recoil.org> wrote:
> GitHub archives are stable in my experience except under one notable change:
> if you do a repo transfer to another organization, the redirect from the old
> one points to releases with a new checksum.  This is a fairly rare event,
> but it's worth keeping in mind.
> Markus, have you spotted other cases where checksums change?
> -anil
> On 26 Jun 2014, at 20:33, Ashish Agarwal <agarwal1975 at gmail.com> wrote:
> A quick grep through the current 2,383 url files gives me 970 that are
> pointing to github.com. Of that, 810 have "/archive/" in the url, which I
> believe indicates that they are pointing to the tarballs automatically
> generated for a commit. Doesn't this indicate a potential big problem if
> github changes the way they generate tarballs. All of these checksums will
> fail.
> Only 10 of the 970 have "/releases/" in their url, which I think indicates a
> fixed binary file.
> On Thu, Jun 26, 2014 at 3:22 PM, Anil Madhavapeddy <anil at recoil.org> wrote:
>> On 26 Jun 2014, at 17:58, Markus Mottl <markus.mottl at gmail.com> wrote:
>> > Hi,
>> >
>> > since a lot of OPAM packagers are using Github, to which I'm
>> > transitioning my projects, I just wondered how you are dealing with
>> > the problem of downloading archives with stable checksums.
>> >
>> > The online information is rather confusing, but it is my impression
>> > that there is no guarantee that downloading an archive from Github
>> > will give you files with equivalent checksums.  Github apparently
>> > doesn't support download pages with fixed files anymore unlike
>> > Bitbucket, which I'm currently using.  AFAIK, Github cleans out
>> > generated archive files if not downloaded again soon enough so there
>> > is some chance that changes to e.g. git, tar, or gzip could screw up
>> > archive checksums.
>> >
>> > Any suggestions on how to best interact with Github for downloading
>> > stable packages via OPAM?
>> GitHub does support downloadable binary archives, but it's called
>> "Releases".  See for example:
>> https://github.com/ocaml/opam/releases
>> for the binary uploads against a tag.
>> API is here:
>> https://developer.github.com/v3/repos/releases/
>> My OCaml GitHub bindings have a little command line utility to upload
>> stuff via the command-line (you can probably do the same with Curl as well).
>> ```
>> opam install github
>> git-upload-release --help
>> ```
>> cheers,
>> Anil
>> _______________________________________________
>> opam-devel mailing list
>> opam-devel at lists.ocaml.org
>> http://lists.ocaml.org/listinfo/opam-devel

Markus Mottl        http://www.ocaml.info        markus.mottl at gmail.com

More information about the opam-devel mailing list