New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tarball downloads aren't stable for google/jsonnet #666
Comments
Based on the quote below (although from the rest of the thread it seems like Github's stance on this is still not totally clear), it would be necessary for google/jsonnet to start manually uploading a source archive as part of the release process, as the automatically generated ones are cannot be relied upon to be stable, even for tags.
|
Yeah it looks like they walked this back, but they want to prevent people from relying on those generated archives. https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/ |
Really the git revision code ought to be good enough, as opposed to hashing the content of the tarball? I'm not sure what you can do in your CI system though? |
At Google we can repeat any build from any time and get exactly the same bytes, but that requires having a consistent version of all the software used to produce the tarball, including the tar executable itself, the stdlib, and even the compiler. That's not necessarily an option available to everyone. |
It seems like a git hash is being depended on
go-jsonnet/bazel/repositories.bzl
Line 8 in a39e181
According to GitHub those hashes are subject to change: bazel-contrib/SIG-rules-authors#11
There should probably depend on a tag instead.
Currently our CI is failing due to this:
The text was updated successfully, but these errors were encountered: