Re: What to do about github (dynamic) downloads

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 08/07, John Klos wrote:
> It seems that some pkgsrc packages use github for some distfiles
> (via codeload.github.com).
> 
> It appears that github generates these on the fly and has decided to
> change their method, seemingly arbitrarily, which makes checksums
> fail.
> 
> In the case of wip/bitcoin, the untargzipped files match the
> original repository on which the checksums were calculated,
> according to mtree, but the size of the file is now off by four
> bytes. The files from the actual Bitcoin project haven't been
> touched since November.
> 
> Should it be decided, whether by concensus or a decision by
> pkgsrc-pmc, that NetBSD should avoid services such as github which
> do this kind of dynamic packaging?

There are probably at least two kinds of downloads available from
GitHub, then.  (There may be more; I don't know.)  I don't know anything
about this dynamic packaging via codeload.github.com, but I do know that
GitHub has the concept of a "release" for which the project owner can
provide links to binary files.  See:

  https://help.github.com/articles/about-releases/

Google's Protobuf project, for example, uses this:

  https://github.com/google/protobuf/releases

There's a "Downloads" section for each release which contains links to
many binary files (e.g., .tar.gz, .zip).  I'm 99% sure these are not
dynamically generated on the fly; they're just binary files available
for download.

So, if there would be any avoidance policy, I think it should be at a
finer-grained level than the service level.  In other words, binary
files associated with a GitHub release should be fine.  They are
different from whatever these dynamically generated archives are from
codeload.github.com.

Regards,

Lewis