Comments (15)
rjbou
commented on June 21, 2024
1
The SWHID story is explained in this comment ocaml/opam#5720 (comment).
To complete: As Software Heritage recompute archives from sources, it is not possible to use the original checksum that is given. That's why we rely on swhid given/generated by maintainers & checked by opam repo CI to be sure that we have the good source & opam checks it. There is no blind reliability on SWH servers.
from opam-repository.
zoggy
commented on June 21, 2024
1
But it may be heavier to handle for each new release. I can live with tarballs in the repo, so don't bother, I will add tarballs to lru-cache and css repositories tomorrow and submit a patch for opam files in opam repo.
from opam-repository.
zoggy
commented on June 21, 2024
Don't know what happened, release 0.1.0 is the same as 11 months ago: https://framagit.org/zoggy/ocaml-css/-/tags but indeed this has not the same sha512.
The .gitattributes file was modified in january, to ignore the file .header instead of header when exporting, so the only explanation I see is that gitlab uses current version of .gitattributes to create tar archives instead of the version corresponding to the release tag, producing a different archive file. So it seems ok to change the checksums in opam package file.
from opam-repository.
mseri
commented on June 21, 2024
@zoggy I have a copy of the tarball with the correct hash: if you can upload it as release artifact and update the url in the opam file, I'd be happy to send it to you. Otherwise I can upload it on the opam-source-archives
from opam-repository.
zoggy
commented on June 21, 2024
(sorry for the late answer, holidays...) I think it's better to put the tarball on the opam source archives. By the way, may be having all referenced tarballs of opam packages on this source archive repo would be better ? Is there a way to automatize this ?
from opam-repository.
mseri
commented on June 21, 2024
That is just a temporary solutions and very limited by the maximum size of repositories. From my understanding the plan is integrating opam with software heritage and then get the sources directly from there. It may be that this is happening soon let me ping @kit-ty-kate that knows more
from opam-repository.
hannesm
commented on June 21, 2024
FWIW, the tarball is available as https://opam.robur.coop/cache/md5/bc/bc4bdcf47b37c7bd50bf9f31c391dcd2
from opam-repository.
zapashcanon
commented on June 21, 2024
Since a few years, with the work of @rjbou and myself, all packages are automatically archived by software heritage. Moreover, if the SWHID is added to the opam file, opam is also able to fetch the sources from SWH in case they are missing.
The only (IIRC) thing left to do is patching the opam repository with all the SWHIDs.
from opam-repository.
kit-ty-kate
commented on June 21, 2024
The only (IIRC) thing left to do is patching the opam repository with all the SWHIDs.
I disagree. Software Heritage is a flawed platform and should not be trusted in my opinion as long as ocaml/opam#5720 is still a problem.
from opam-repository.
zapashcanon
commented on June 21, 2024
I tought this had been clarified. The SWHID is a form of checksum and it is checked by opam when downloading and it is thus as safe to use as a checksum: if the SWHID is the same, the content is the same. We could also make opam-repo check that the added SWHID is initially valid (as it does for checksum I guess).
from opam-repository.
hannesm
commented on June 21, 2024
I have to admit, I appreciate the work on software heritage. I'd still have a better feeling if opam would always check recorded checksums. What is the price? not too much. What is the value? Well, who ensures that software heritage servers are never compromised?
So, the value of locally verifying checksums is that opam can be trusted without any thoughts on software heritage, it's operations etc.
from opam-repository.
zapashcanon
commented on June 21, 2024
I'd still have a better feeling if opam would always check recorded checksums.
As I'm trying to explain, it does, but here the checksum would simply be called "SWHID". You can compute it locally, check that it matches the recorded SWHID etc.
from opam-repository.
hannesm
commented on June 21, 2024
Ah, thanks Raja. I keep on forgetting about the details about swhid.
from opam-repository.
zoggy
commented on June 21, 2024
Thanks @hannesm for the tarball.
So hosting tarballs on opam source archive is not the perennial way to go, and SWH is not yet ready. Gitlab does not seem to offer a way to upload tarballs either, except in the repo itself (for example in the public directory, used for the web pages) but I'd like to avoid that. Any other place to upload such arhives ?
from opam-repository.
mseri
commented on June 21, 2024
To me the ideal place if the repository itself if it allows to upload static tarballs.
Otherwise I think for the time being the opam-source-archive is the best thing to use, I have not yet done it only because I did not yet have a moment to sit at my laptop. Hopefully it will happen tonight.
from opam-repository.
Related Issues (20)
- Z3 does not build by default on ubuntu 24.04 HOT 3
- Switches are configured with `OCAML_TOPLEVEL_PATH` but the variable name is `OCAMLTOP_INCLUDE_PATH` HOT 1
- Jane st. base packaging bug (requirements) HOT 7
- Finally moving away from weak hash algorithms (and extra-files while we are at it) HOT 5
- libtsan not found HOT 6
- `arm32-ocaml-4.14` is broken: image's platform mismatch HOT 1
- Error while installing switch 4.07.0: "The compilation of ocaml-base-compiler.4.07.0 failed at 'make -j1 world'." HOT 1
- [Question]: Source code of packages hosted on ipv6 only website HOT 5
- Normalise license of system package
- Possible breakage in opam update HOT 10
- policy question: existing packages without checksums HOT 2
- `bin_prot.0.17.0` fails to build on OpenSUSE and FreeBSD with OCaml 5.0 HOT 2
- Unison missing fsmonitor
- Enforcing switch variant with --packages fails on macOS ARM64 HOT 2
- `opam switch create 5.0.0` fails HOT 6
- `opam switch create . 5.2.0` isn't working on m2 mac HOT 2
- Failed to install `ocamlbuild` and `ocaml-lsp-server` on Windows HOT 2
- Please come up with an alternative to 'available: os != "win32"' for Windows packages failing CI
- Fully-automate merges for the simpelest class of package publications PRs HOT 2
- conf-gmp v4 doesn't install anymore HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opam-repository.