[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checksum mismatch for 1.8 release

From: Tim Rice
Subject: Re: Checksum mismatch for 1.8 release
Date: Tue, 17 Jan 2023 21:03:46 +0000

Hi Sean,

Oops, I missed your message on 4 Jan. Thankfully it was just brought to my 
attention. Sorry for the delay in getting back to you.

So, I apologize for the confusion regarding the last release, it was my bad. I 
am new to GNU maintainership and it was my first release. I hope it's not too 
surprising, then, that the process had some hiccups.

tl;dr No, the GNU Datamash sources have not been compromized :)

Post mortem:

1. When preparing the release, I had trouble with the automated packaging 
tools. In particular, the NEWS hash was out of date. This led to errors when 
attempting the automated release approach which would normally be followed.

2. I was able to fix things manually, but then forgot the '-z` flag to tar when 
preparing the release tarball. Therefore the announcement which I sent out was 
for some .tar.gz files which actually were not compressed.

3. Shortly after the announcement, someone let me know they were having an 
issue with the packaging because of the error in (2). (Thanks again to that 
person, they caught it quickly, which is why you see a gap of only a few hours 
before new files were sent up.)

4. I repackaged the files with no change except to add compression in the 
expected way.

5. Since everything was signed with my public key, it seemed unlikely that any 
confusion could arise. Therefore I declined adding noise to the announcement 
mailing list just to advise of what seemed to me like a negligible adjustment. 
Adding compression without actually changing the contents did not seem 

Sorry again for any confusion, and thanks for your patience. Please let me know 
if that clears things up for you or if there is something else I can do to help 
make this right.

Kind regards,


On Wed, Jan 04, 2023 at 08:56:08AM +0000, sean wrote:
Hi Datamash maintainers,
I just tried to download datamash 1.8 and the checksum that was reported in the 
release anouncement: https://savannah.gnu.org/forum/forum.php?forum_id=10212
Doesn't seem correct anymore and the upload is from hours after that 
announcement. Has the download been compromised?
Sean Molenaar
Homebrew maintainer

reply via email to

[Prev in Thread] Current Thread [Next in Thread]