| 29 Mar 2024 |
|  @winston:milli.ng joined the room. | 19:34:49 |
|  @entheogenesis:matrix.org joined the room. | 20:12:35 |
 hexa | Redacted or Malformed Event | 20:52:12 |
|  anthr76 joined the room. | 20:54:54 |
|  Gaelan Steele joined the room. | 21:13:50 |
|  magic_rb joined the room. | 21:45:27 |
 ris_ | i think we've encountered situations before where the github automatically generated tarball has been "overridden" by a release file being supplied in its place - which unnerved me a bit at the time - but makes me wonder if it's actually possible to get a tarball link to a git tag that will definitely have been auto-generated | 22:09:23 |
| ris_ | i.e. even fetchFromGitHub was returning the manually-uploaded tarball | 22:11:32 |
 tomberek | ris_: if you use a tree-hash you have much better guarantees from their archive-tarball API. Fetching by commit-hash may encounter git-filter+smudging issues. | 22:37:10 |
|  @tpw_rules:matrix.org joined the room. | 23:01:50 |
| @tpw_rules:matrix.org | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 | 23:01:55 |
| @tpw_rules:matrix.org | debian is considering reverting xz further | 23:02:08 |
| @tpw_rules:matrix.org | given our long lead time on a fix we should too | 23:06:13 |
| hexa | as mentioned this would remove symbols that packages now depend on, so not as simple | 23:07:06 |
| hexa | let's wait a week and see how the world looks then | 23:07:20 |
| @tpw_rules:matrix.org | ok | 23:07:57 |
| @tpw_rules:matrix.org | thanks all | 23:12:00 |
|  Remco Schrijver joined the room. | 23:13:28 |
|  amarshall joined the room. | 23:13:43 |
| ris_ | i'm struggling to reproduce this now, but I'm sure we've had at least one case in the past where fetchFromGitHub wasn't returning the vanilla repo source | 23:16:40 |
| ris_ | tomberek: not sure how we'd fit any of that in with the UX of fetchFromGitHub though | 23:17:57 |
| tomberek | I don't think fetchFromGitHub can. I was talking about the underlying mechanism from GitHub. | 23:18:51 |
| ris_ | fundamentally for f-f-g-h we want a user to supply a tag name and unmistakably get the repo source for that commit. perhaps we can and i'm just delusional/mis-remembering | 23:20:42 |
| ris_ | anyway, we should probably investigate how we might make it easier to build packages from raw source, despite bootstrapping issues | 23:22:14 |
|  quentin joined the room. | 23:53:18 |
| 30 Mar 2024 |
|  qubitnano joined the room. | 01:28:55 |
 raitobezarius | Post bootstrap verification seems a cheap first step, let's double check we get the expected stuff | 01:39:02 |
|  @lycheefox:matrix.org joined the room. | 02:19:40 |
|  SpiralP joined the room. | 03:09:15 |
 vcunat | In reply to @hexa:lossy.network
as mentioned this would remove symbols that packages now depend on, so not as simple Maybe it's simpler for us thanks to doing all the rebuilds, but I haven't investigated whether those packages can build without the symbols. | 05:58:31 |
