Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

faircamp: fix source archive sha256 #160655

Merged
merged 2 commits into from
Jan 23, 2024
Merged

faircamp: fix source archive sha256 #160655

merged 2 commits into from
Jan 23, 2024

Conversation

themissingcow
Copy link

Faircamp is built from a Codeberg tag source archive. For unknown reasons, the sha of the 0.11.0 archive changed recently:

https://post.lurk.org/@freebliss/111796021611406917

This commit resets the sha to that of the currently available source archive. This seems, for now, to be stable. It can be verified as follows:

curl https://codeberg.org/simonrepp/faircamp/archive/0.11.0.tar.gz | shasum -a 256 -

I wasn't sure whether the bottle do section needed updating, as this wasn't a version bump (the existing bottles are valid), so have left them as-is for now.

  • Have you followed the guidelines for contributing?
  • Have you ensured that your commits follow the commit style guide?
  • Have you checked that there aren't other open pull requests for the same formula update/change?
  • Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
  • Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
  • Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

@themissingcow
faircamp: fix source archive sha256
5253044 
Faircamp is built from a Codeberg tag source archive. For unknown
reasons, the sha of the 0.11.0 archive changed recently:

 https://post.lurk.org/@freebliss/111796021611406917

This commit resets the sha to that of the currently available source
archive. This seems, for now, to be stable. It can be verified as
follows:

  curl https://codeberg.org/simonrepp/faircamp/archive/0.11.0.tar.gz | shasum -a 256 -
@github-actions github-actions bot added rust Rust use is a significant feature of the PR or issue macos-only Formula depends on macOS ffmpeg FFMPEG use is a significant feature of the PR or issue labels Jan 22, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thanks for contributing to Homebrew! 🎉 It looks like you're having trouble with a CI failure. See our contribution guide for help. You may be most interested in the section on dealing with CI failures. You can find the CI logs in the Checks tab of your pull request.

@themissingcow
Copy link
Author

The test failures seem expected:

    * stable sha256 changed without the url/version also changing; please create an issue upstream to rule out malicious circumstances and to find out why the file changed.

Can anyone advise as to how to proceed? This thread with the upstream maintainer explains the situation and intended remediation actions.

@simonrepp
Copy link

Faircamp maintainer here, I ran dozens of checks yesterday to confirm that malicious circumstances for the sha256 change can be pretty much ruled out. The hash change occured with very high probability due to a change in how the tarball is generated/compressed through forgejo at codeberg - this reflects similar incidents at gitea (go-gitea/gitea#26620) and even github (https://github.com/orgs/community/discussions/45830) last year. Going forward with future releases we will probably have manually uploaded source tarballs to ensure checksum stability, but until then it would be great if installability of faircamp via brew was restored by approving the hash change. Thanks for your time and efforts!

@chenrui333 chenrui333 added checksum mismatch SHA-256 doesn't match the download CI-no-fail-fast Continue CI tests despite failing GitHub Actions matrix builds. labels Jan 22, 2024
@chenrui333
Copy link
Member

chenrui333 commented Jan 22, 2024
edited
Loading

@themissingcow yeah, it is fine, you can ignore that bot message.

@simonrepp thanks for confirming the re-tagging.

@chenrui333 chenrui333 added the ready to merge PR can be merged once CI is green label Jan 22, 2024
@github-actions GitHub Actions
Copy link
Contributor

:shipit: @chenrui333 has requested bottles to be published to this PR.

@github-actions github-actions bot added the CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. label Jan 23, 2024
@BrewTestBot BrewTestBot added this pull request to the merge queue Jan 23, 2024
Merged via the queue into Homebrew:master with commit 83a9ce7 Jan 23, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenrui333 chenrui333 chenrui333 approved these changes

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees
No one assigned
Labels
checksum mismatch SHA-256 doesn't match the download CI-no-fail-fast Continue CI tests despite failing GitHub Actions matrix builds. CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. ffmpeg FFMPEG use is a significant feature of the PR or issue macos-only Formula depends on macOS ready to merge PR can be merged once CI is green rust Rust use is a significant feature of the PR or issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@themissingcow @simonrepp @chenrui333 @BrewTestBot