Hello Clojure community
I'm one of the Java buildpacks maintainers and we recently discovered a discrepancy in the releases for this repository: https://github.com/clojure/brew-install/
The issue is that releases artifacts seem to have been republished / repushed after their initial release, effectively overwriting tags and artifacts attached to it; but since the paketo buildpack for clojure rely on SHA256 signatures to make sure the archive is the one that we expected, it basically broke them.
For example, let's take release 1.11.1.1347 as an example.
- in the clojure/brew-install/ repository, we can sha256 the archive (
shasum -a 256 ~/Downloads/linux-install-1.11.1.1347.sh) to 73a780bac41fc43ac624973f4f6ac4e46f293fe25aa43636b477bcc9ce2875de
Weirdly enough though, this release dates back to August 26 whereas the commit was done on May 31st
We believe the user named puredanger has mass-overwritten Github releases, potentially changing content of the published releases, on August 26th; the reason to think this is to look at this releases page where all older releases (<1360) were updated
We just wanted to make sure this issue was known and, if possible, would not happen frequently since it can break downstream redistribution channels, such as Paketo buildpacks. (we just updated and released to one of the latest clojure release, but users set on older versions could be impacted)
Thank you!
