[tahoe-dev] 1.9.0 tarball broken

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Nov 9 18:43:26 UTC 2011


On 09/11/11 09:49, Brian Warner wrote:
> On 11/9/11 5:02 AM, Greg Troxel wrote:
>>
>>    I'll repack the existing 1.9.0 tarballs tomorrow and put them back
>>    at the same URLs, and republish the hashes.
>>
>> A new version number please - packaging systems expect tarballs once
>> published to be invariant (since they store their own hashes), and the
>> same file name with different contents looks like an attack.
> 
> Sure thing. If you're ok with your workaround, I'll probably wait until
> the weekend (and after the Summit) to spin 1.9.1.

-1 on releasing a 1.9.1 for this issue. A mistake in generating the tarball
doesn't justify a new release. We've had such mistakes before and have not
made a new release.

If the code had already been packaged in OS distributions, that would be
a different case, but it hasn't (and such distributions have a convention
for changing the package version without requiring an upstream release).

>> Why doesn't the setup code force the umask?
>> It seems like this should not depend on the environment.

Yes, this is a bug in setuptools. We need to stop using setuptools.

> What I think I'll do is add a "umask 002" setting in the Makefile
> target. (it's non-ideal, because changing the umask is harder to unwind
> than, say, setting an environment variable, so running 'make tarballs'
> will have a subtle lingering side-effect on the shell in which it is
> run).

Can you use a subshell to avoid that (something like
/bin/sh -c 'umask 022 && ...')?

-- 
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 294 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20111109/6e948669/attachment.pgp>


More information about the tahoe-dev mailing list