Hi Peter, Peter Schaffter wrote on Mon, Dec 17, 2018 at 08:55:04PM -0500:
> I've updated mom-2.4.tar.gz on mom's website, Never change tarballs after they are released. That causes bad trouble to downstream packagers: On first sight, it looks like your website was hacked and the tarball trojaned by an attacker because downstream packagers typically keep checksums of distfiles. So changing a tarball after the fact at the very least forces all downstream packagers to manually investigate whether the change was intentional and legitimate or an error or even malicious. Even if they figure out it was intentioanl and legitimate, time was wasted figuring that out. And then they are in a fix regarding how to name their updated package for their users. They *have* to bump it somehow or package mangers on end user systems cannot know that they have to update the package on the user's system. So if you do not bump upstream, the packager is kind of forced to bump the packaging version - but that is misleading to users: it looks as if the packager merely improved something in the way the software is packaged, while the bump is actually an upstream bug fix - in fact, a bugfix considered so important that essentially, a new release was made just to fix that one bug. If you make release, don't try to keep it secret. If downstream packagers are less careful, they will possibly never pick up the fix because the version number didn't change, so they have no indication anything was wrong, and they will happily continue to ship the buggy version to their users. When updating a tarball, always bump the version number. Yours, Ingo
