Boost logo

Boost :

Subject: Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?
From: Jonathan Wakely (jwakely.boost_at_[hidden])
Date: 2017-02-07 20:12:30


On 28 January 2017 at 09:26, Olaf van der Spek wrote:
> On Sat, Jan 28, 2017 at 3:40 AM, Jonathan Wakely
> <jwakely.boost_at_[hidden]> wrote:
>> The Fedora RPM spec file was changed to use the redirecting URL years
>> ago, long before I took over maintenance of the package. It didn't
>> occur to me to verify it (since it was definitely a sourceforge.net
>> URL and for the boost project, and it seems that until the CI
>> snapshots last summer it *was* getting the correct file).
>
> Doesn't the hash get verified, automatically, after downloading?

No, because you don't download the file every time you build the RPM.
That would be a problem if the upstream went offline, for example.

Instead the source tarball is downloaded once when updating the
package to a new version (which I did using the problematic URL in the
Subject) and then stored on Fedora's servers, and in future is pulled
from there when building an SRPM (at least using the standard
packaging workflow).

I think that URL is set up automatically by SourceForge and redirects
to the most recently-uploaded file of that name. That works fine if
uploaded tarballs have unique names (and did work fine until a few
months ago) but because the snapshots uploaded for CI testing have the
same name as the release tarballs, SourceForge makes the URL point to
whatever the most recent snapshot is.

Another reason why the CI snapshots that are emphatically not the same
as the release tarballs should have different names.
boost-1.63.0-snapshot or boost-snapshot-post-1.63.0 would be fine, and
wouldn't be confusable with the release tarballs of the same name.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk