Releases have been altered after publication #4428
Comments
|
I'm sorry that this happened & I'm investigating on this, but (as you said) this should never happen. i strongly suspect we re-released v0.7.2 instead of releasing v0.7.3 by mistake. thank you for noticing this. |
FYI, the |
|
@wargio Also, v0.7.2.tar.gz apparently has not been altered (for whichever reason) since its publication. It appears to be identical in contents (besides the So if you don't have |
|
yes, i'm aware. we noticed that for some reasons by pushing commits on stable, instead of adding the bins to the release on tag it also pushes new bins each time we push commits to the stable branch. this is weird and wrong. we will publish soon v0.7.3 which hopefully will fix this also |
|
https://github.com/rizinorg/rizin/releases/tag/v0.7.3 But the problem of the release scripts that would update the release if pushed to |
The answers are important regarding the hash stored in projects like nixpkgs to validate the data supplied for a given version. |
|
it's kinda difficult to revert all the release artifacts. since due the xz vulnerability, some sources are not available anymore, thus we cannot just re-run the CI |
Expected behavior
Release versions refer to a fixed state, frozen in time.
Actual behavior
The downloadable file refered to by a given version changes in content over time.
Steps to reproduce the behavior
Compare the initial file released as
rizin-src-v0.7.2.tar.xzwith the one currently accessible.The hash changed from
sha256-/P8/tFrit14/YEvHoIB24yLm4U3veQmBhjeAZcyzWCo=tosha256-6vnkOl2heENHp0ZyTllDj0oWlNyh5ipQCSAJ8BcuH2w=.Steps to mitigate the behavior
Please release files under a new patch version instead of modifying the published files.
The text was updated successfully, but these errors were encountered: