Refer to upstream sources via release artifacts rather than generated archives #2831
Comments
markusboehme
added
type/enhancement
markusboehme
changed the title
stmcginnis
added
status/icebox
|
Following are the packages where we get the tar file from github generated archives: |
|
Will update packages/makedumpfile/Cargo.toml and packages/libnl/Cargo.toml to use static resources once updated version will be available. |
in playing around w/ package and package sources in bottlerocket, I noticed some 404s. Some were due to the issue outlined in bottlerocket-os#2831 regarding GitHubs switch away from generated archives, with this typo being an easy outlier to quickly fix. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
in playing around w/ package and package sources in bottlerocket, I noticed some 404s. Some were due to the issue outlined in bottlerocket-os#2831 regarding GitHubs switch away from generated archives, with this typo being an easy outlier to quickly fix. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
GitHub recently disturbed several projects' build processes by accidentally changing the way archives are generated. The change retained all archive contents, but the structural change led to hash sum checks breaking. More on this can be found in this article on LWN. GitHub responded by promising some advance notice for future changes affecting archive hashes.
Since Bottlerocket refers to third-party packages via
https://github.com/${org}/$[repo}/archive/...URLs it would have been similarly affected by this. Consider referring to third-party package sources via static release artifact files instead of archives that are generated on demand.The text was updated successfully, but these errors were encountered: