Welcome! Please see the About page for a little more info on how this works.

0 votes
in Meta by

Hello Clojure community

I'm one of the Java buildpacks maintainers and we recently discovered a discrepancy in the releases for this repository: https://github.com/clojure/brew-install/

The issue is that releases artifacts seem to have been republished / repushed after their initial release, effectively overwriting tags and artifacts attached to it; but since the paketo buildpack for clojure rely on SHA256 signatures to make sure the archive is the one that we expected, it basically broke them.

For example, let's take release as an example.

  • in the clojure/brew-install/ repository, we can sha256 the archive (shasum -a 256 ~/Downloads/linux-install- to 73a780bac41fc43ac624973f4f6ac4e46f293fe25aa43636b477bcc9ce2875de

Weirdly enough though, this release dates back to August 26 whereas the commit was done on May 31st

We believe the user named puredanger has mass-overwritten Github releases, potentially changing content of the published releases, on August 26th; the reason to think this is to look at this releases page where all older releases (<1360) were updated

We just wanted to make sure this issue was known and, if possible, would not happen frequently since it can break downstream redistribution channels, such as Paketo buildpacks. (we just updated and released to one of the latest clojure release, but users set on older versions could be impacted)

Thank you!

1 Answer

0 votes
selected by
Best answer

Yes, I did this on a handful of old releases to relocate some traffic from old (download.clojure.org) to new (github) download locations. No plans to do any more.

ok thanks for your answer Alex!
That clears things out!