On Wed, Aug 22, 2018 at 08:49:57AM +0300, Consus wrote: > If you create a release > (https://help.github.com/articles/creating-releases/) then all > associated generated tarballs are immutable, as far as I know.
Please stop spreading this myth. It is 100% wrong. These artifacts are not stable. If you rely on them being stable, stop doing so now. A friend of mine works at Github and when problems happened in OpenBSD's ports tree last year I asked what OpenBSD could do. Here is some of what he told us back then (I won't mention my friend's name, this was private mail). """" These are generated on the spot and cached so anything goes. You two are likely seeing different tarballs because you're being pointed to different frontend machines which happened to cache a different variation of the file. Back whenever (a few months ago by now, I think) we finally un-reverted a fix for git-archive for compat with OpenBSD that we had reverted years ago as people had started relying on the auto-generated tarball checksums. But at some point you have to bite the bullet, as a change in any of git, tar, zip, libz and maybe more can end up with the bytes changed for a tarball/zipfile that means the same. git has had multiple changes over the years related to non-ASCII filenames. It's basically a miracle that we didn't change the tarball checksums when we upgraded the whole fileserver fleet from Ubuntu to Debian one by one. """""
