[mythtv] Found a severe decoding bug in mythffplay

Craig Treleaven ctreleaven at cogeco.ca
Thu May 10 18:36:15 UTC 2012


At 4:19 PM -0400 5/6/12, Raymond Wagner wrote:
>On 5/6/2012 15:59, Craig Treleaven wrote:
>>At 1:42 AM -0400 5/5/12, Michael T. Dean wrote:
>>>Yeah, I don't think it's worth doing nightly tarballs or anything.
>>>
>>>Then again, I'd love to just remove the tarballs from our website and
>>>let users/packagers either clone the repo with git or use github
>>>tarball links.
>>>
>>
>>Mike, I was looking at packaging Myth for OS X via MacPorts.  The folks
>>there are strongly biased against pulling from version control systems
>>because:
>>-security.  Verifying checksums on a tarball gives quite strong
>>assurance that no malicious changes have been introduced since the
>>packager looked at it.
>>-repeatability.  More chance that the user's install will succeed and
>>function as intended.
>>-availability.  Tarballs can be mirrored on their site to increase
>>availability (and a recent email from Stuart Morgan indicates this is a
>>non-trivial problem with GitHub).
>
>So I still don't see how the Github tarball links fail to meet any 
>of those requirements.  In case you're unaware, you can pull a 
>tarball for any SHA1 hash, and not simply tags and branch heads. 
>While the tarballs are only cached by Github for a brief period, and 
>auto-generated otherwise, their checksums are consistent.

Sorry for being dense but how do I go about pulling a tarball for a 
specific commit hash?  I downloaded a zipball of the latest fixes and 
the link was:

https://nodeload.github.com/MythTV/mythtv/zipball/fixes/0.25

This got me MythTV-mythtv-v0.25-84-g9ccfac1.zip

How can I fetch this again (say with curl)?

Craig



More information about the mythtv-dev mailing list