You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads. On the Releases page, these are the assets which were uploaded to GitHub and appear with their file size. Files can be added to a release manually in the web or with something like this (third-party) GitHub Action. You can later use the Release Assets REST API to retrieve them. If relying on release assets isn’t possible, we urge you to consider designs that can accommodate (infrequent) future hash changes.
你在什么场景下需要该功能?
问题:目前 xmake-repo 中,add_urls 时,如果使用从 github.com 上获取到源码包,hash 不一定是稳定的。
上一次中断在 2017.
最近的中断 2023-01-31,下一次最快在一年之后:
Github 最近明确了下载 tarball 时 hash 稳定性的问题。
简单来说
https://github.com/${org}/${repo}/archive/refs/tags/${TAG}.tar.gz
描述可能的解决方案
作为下游构建工具其实没有太多好的办法。
只能尽量避免使用不稳定的下载地址。
描述你认为的候选方案
最高的频率大概也就1年一次,写个脚本定期跑一下也可以
其他信息
最近的一次 hash 更改,集中讨论
这里有很多构建系统的维护者的回复。是 github 那篇 blog 的前置讨论
bazel 把他们的模板也改为使用稳定的源码包了
The text was updated successfully, but these errors were encountered: