| 29 Mar 2024 |
|  Gaelan Steele joined the room. | 21:13:50 |
|  magic_rb joined the room. | 21:45:27 |
 ris_ | i think we've encountered situations before where the github automatically generated tarball has been "overridden" by a release file being supplied in its place - which unnerved me a bit at the time - but makes me wonder if it's actually possible to get a tarball link to a git tag that will definitely have been auto-generated | 22:09:23 |
| ris_ | i.e. even fetchFromGitHub was returning the manually-uploaded tarball | 22:11:32 |
 tomberek | ris_: if you use a tree-hash you have much better guarantees from their archive-tarball API. Fetching by commit-hash may encounter git-filter+smudging issues. | 22:37:10 |
|  @tpw_rules:matrix.org joined the room. | 23:01:50 |
| @tpw_rules:matrix.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 | 23:01:55 |
| @tpw_rules:matrix.org | debian is considering reverting xz further | 23:02:08 |
| @tpw_rules:matrix.org | given our long lead time on a fix we should too | 23:06:13 |
 hexa | as mentioned this would remove symbols that packages now depend on, so not as simple | 23:07:06 |
| hexa | let's wait a week and see how the world looks then | 23:07:20 |
| @tpw_rules:matrix.org | ok | 23:07:57 |
| @tpw_rules:matrix.org | thanks all | 23:12:00 |
|  Remco Schrijver joined the room. | 23:13:28 |
|  amarshall joined the room. | 23:13:43 |
| ris_ | i'm struggling to reproduce this now, but I'm sure we've had at least one case in the past where fetchFromGitHub wasn't returning the vanilla repo source | 23:16:40 |
| ris_ | tomberek: not sure how we'd fit any of that in with the UX of fetchFromGitHub though | 23:17:57 |
| tomberek | I don't think fetchFromGitHub can. I was talking about the underlying mechanism from GitHub. | 23:18:51 |
| ris_ | fundamentally for f-f-g-h we want a user to supply a tag name and unmistakably get the repo source for that commit. perhaps we can and i'm just delusional/mis-remembering | 23:20:42 |
| ris_ | anyway, we should probably investigate how we might make it easier to build packages from raw source, despite bootstrapping issues | 23:22:14 |
|  quentin joined the room. | 23:53:18 |
| 30 Mar 2024 |
|  qubitnano joined the room. | 01:28:55 |
 raitobezarius | Post bootstrap verification seems a cheap first step, let's double check we get the expected stuff | 01:39:02 |
|  @lycheefox:matrix.org joined the room. | 02:19:40 |
|  SpiralP joined the room. | 03:09:15 |
 vcunat | In reply to @hexa:lossy.network
as mentioned this would remove symbols that packages now depend on, so not as simple Maybe it's simpler for us thanks to doing all the rebuilds, but I haven't investigated whether those packages can build without the symbols. | 05:58:31 |
|  @andmuz:matrix.org joined the room. | 07:29:28 |
 Minijackson | In reply to @r_i_s:matrix.org
i'm struggling to reproduce this now, but I'm sure we've had at least one case in the past where fetchFromGitHub wasn't returning the vanilla repo source You light have encountered a case were git attributes were used, which can modify the generated git archive. An example that I have on hand: https://github.com/paulscherrerinstitute/StreamDevice/blob/master/.gitattributes | 08:21:08 |
| ris_ | the seems feasible - didn't know about that. at least changes to gitattributes have to be checked in, which limits their stealth | 11:05:44 |
| ris_ | * that seems feasible - didn't know about that. at least changes to gitattributes have to be checked in, which limits their stealth | 11:05:51 |
