[OpenWrt-Devel] openwrt/packages: [RFC] Regarding preferences re: switch to codeload

Jo-Philipp Wich jo at mein.io
Mon Aug 13 05:45:14 EDT 2018


Hi,

personally I'm opposed to the entire code load thing.

First of all I was unable to reproduce the tarballs offered by Github.

Github seems to use an extended tar (pax) format while we pack our SCM
clones using the more traditional ustar format, however even using `tar
-cp -H pax --numeric-owner --owner=0 --group=0 --sort=name --mtime ...`
seems to yield a different tar stream compared to whatever is offered by
Github;

 - The order of the entries in the archive also seems to deviate from
   that of `tar --sort=name`, it looks as if Github archives are sorted
   using the "C" collate while GNU tar uses something else.

 - The PAX header format seems to be different, Github uses a global PAX
   header while GNU tar produces per-member headers

 - There seem to be proprietary tags inside Github tar (comment=<sha1>)
   which are not present in the GNU equivalent

Furthermore I dislike the idea of tailoring download mechanisms around a
specific proprietary service.

If the allegations about hash changes for unknown reasons are correct,
then this raises a huge red flag for me and I see no reason to not
assume that codeload tarballs will eventually change as well, become
rate limited, redirected, discontinued or changed in other arbitrary ways.

So TLDR; I prefer a locally reproducible, cached tarball of a given SCM
clone over an opaque Github offer.


My 2cents,
Jo

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list