[mythtv] Github tarball from commit can change

Alec Leamas leamas.alec at gmail.com
Mon Sep 28 15:40:40 UTC 2015 

On 28/09/15 17:01, Craig Treleaven wrote:
>> On Sep 28, 2015, at 9:19 AM, Alec Leamas <leamas.alec at gmail.com> wrote:
>>
>> On 28/09/15 14:34, Stuart Auchterlonie wrote:
>>
>>> Pulling the tar ball will always pull the latest and greatest.
>>> Any change to fixes/0.27 will result in a different tarball to
>>> the previous download.
>>>
>>> There may be a way of telling it to pull at a specific commit,
>>> but haven't looked at it
>>
>> There is. See e. g.,
>>
>> https://fedoraproject.org/wiki/Packaging:SourceURL?rd=Packaging/SourceURL#Git_Hosting_Services
>
> Thanks, Alec, that is what I am doing except that I just use the short hash (“e9b577d3”) rather than the 40-character full hash.  If I should be using the full hash, I can do that.
>
> AIUI, this causes GitHub to deliver a compressed tarball of a snapshot of the project as of that commit.  GitHub creates these tarballs and caches them for some unknown length of time.  GitHub _should_ be able to re-create the tarball if the cached version is no longer available since the snapshot should be exactly the same.

As I understand this, github just uses git-archive(1) to retrieve the 
tarball. We have noted that they have the specific semantics described 
in the manpage about checking out a commit vs checking out a version/tag.

> My WAG is that the file that differs (‘EXPORTED_VERSION’) is generated by a git hook.  It may be that the hook works differently depending on whether the commit hash is the lastest in that branch or not.  I know almost nothing about such hooks, however, so I could be entirely wrong.

If so, I would be surprised if github is involved in this. As I 
understand it, EXPORTED_VERSION is a myth thing. I suppose anything is 
possible, but it should then be that someone has installed a hook on the 
github side. Unfortunately, this is above my paygrade :(

My understanding is that if you checkout the same commit (with a direct 
reference, not using any tag/version) you should get exactly the same 
files, checked by a hashsum. If you reference a tag the files should be 
the same but the modification dates are different.

So, someone has tampered with EXPORTED_VERSION. First question is if 
it's actually part of the archive or generated by myth, isn't it?
'git ls-files' or 'git log EXPORTED_VERSION' in a cloned copy should 
reveal that, I guess.

Actually, you could also run git-archive(1) directly from a clone as 
well. AFAICT, this is the same as pulling a copy from github.


Cheers!

--alec

More information about the mythtv-dev mailing list