-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(#14620) libzip: Use robust github mirror #14619
Conversation
@ericLemanissier @uilianries this is a potential show-stopper for all projects using libzip via Conan. Should the build pass, can we please get this reviewed soon? I'll open a bug ticket... Thanks a lot for your help! |
Does https://github.com/nih-at/libzip/releases/download/v1.9.2/libzip-1.9.2.tar.gz have the same sha? Please add mirror instead of replacing existing source |
@ericLemanissier it doesn't.... I'll post a screenshot why |
This comment has been minimized.
This comment has been minimized.
Thanks a lot @ericLemanissier! I hope we can get this in very soon.... |
Thanks @miklelappo for troubleshooting and fixing this one. Is the original file with the original file available anywhere? That is, in the screenshot with the before and after, where is the "before" coming from if libzip.org is down? If the original file with the original file is available, out of an abundance of caution (based on past experience), I'd like to make sure that the checksums of each individual file inside the package matches was was there previously. We have seen instances in the past where even for the same release number, the contents do change in a way that impacts behaviour seen by consumers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
libzip.org doesn't seem to be down anymore and we require additional verification to handle checksum/URL changes - please bear with us :)
@jcar87, libzip.org went back up after almost a day. I guess we still want the change in, because github is more reliable in future, right? The "before" is coming from conan cache. I guess meld is doing required checksuming, but we can make it again. |
GitHub itself as a whole probably, but we need to be careful about the tarballs that are served via the On the other hand, I can see that this project has Releases on its GitHub page, with the URL for 1.8.0 being: Notice how this is in
This gives us some redundancy, while preserving the checksums the recipe had already been built against :) |
All right! |
1d2425b
b1cc021
to
1d2425b
Compare
https://libzip.org is down Use github mirror for releases.
1d2425b
to
1736e0b
Compare
@jcar87 fixed. |
Thanks so much! :) |
Nice catch eric 👍 Seems like teamwork makes the dream work |
Those files are "manually" selected and picked by the project maintainers in my experience so those are definitely way better |
I think the sha is wrong for github's release link. These also have .github folder and clang-format file |
@ericLemanissier I just checked locally by removing non-github paths and sha-ing seems to work for me |
|
@miklelappo I don't understand where your screenshot above comes from. The files I get from https://libzip.org/download/libzip-1.8.0.tar.gz and https://libzip.org/download/libzip-1.7.2.tar.gz have .github folder and clang-format file |
ah, you mean the very early screenshot from today morning? This was unpacked Conan-cache on my working machine when libzip.org was down... there I didn't have that files. Good, but we don't have concerns that links you posted above (https://libzip.org/...) has incorrect checksums? |
What is important that links we have right now point to same file with same sha... and as @jcar87 correctly pointed out, the archive one has a different checksum |
I have no concern about the correction as it is now. This is exactly what I suggested (not clearly enough) in #14619 (comment). I'm confused because of the screenshot which does not make sense. |
Understood. Sorry for confusion... I didn't know the difference between archive and release source provided by GitHub... Need to take more look into that |
…-index * 'develop' of octocat.dlogics.com:datalogics/conan-center-index: (6046 commits) cmake: Remove the private tag from the openssl requirement (conan-io#14689) doctest: Use self.info.clear() instead of header_only() (conan-io#14684) imath: add version 3.1.6 (conan-io#14679) tgbot: add version 1.5 (conan-io#14672) luau: add version 0.556 (conan-io#14673) fast_double_parser: add version 0.7.0 (conan-io#14664) sqlite_orm: add version 1.8 (conan-io#14663) magic_enum: add version 0.8.2 (conan-io#14658) Update changelog 09-December-2022 (conan-io#14525) Add Boost.LEAF to Conan Center (conan-io#13722) Add wavelet_buffer v0.4.0 (conan-io#14655) etl: add version 20.35.5 (conan-io#14654) nss 3.86 (conan-io#14652) flatbuffers: add version 22.12.06 (conan-io#14427) libxml2: fix CMake vars in CMakeDeps & bump icu (conan-io#14626) [googleapis] Use is_msvc to abstract away compiler name setting (conan-io#14619) (conan-io#14620) libzip: Use robust github mirror (conan-io#14617) pybind11_json: add version 0.2.13 (conan-io#14476) add libhydrogen/cci.20221115 (conan-io#13917) cimg: conan v2 support + bump dependencies + disable dependencies by default ...
https://libzip.org is down
Use github mirror for releases.
The difference in SHA-s is related to .github directory and .clang-format file, which are present in github release.
The source was compared to original used by conan to avoid potential attack by getting libzip.org down and fak-ing github sources
Specify library name and version: libzip/all
Closes #14620
This is also a good place to share with all of us why you are submitting this PR (specially if it is a new addition to ConanCenter): is it a dependency of other libraries you want to package? Are you the author of the library? Thanks!