<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jan 11, 2013 at 3:47 PM, Pawel Wodnicki <span dir="ltr"><<a href="mailto:root@32bitmicro.com" target="_blank">root@32bitmicro.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 1/11/2013 2:40 PM, Brooks Davis wrote:<br>
> On Fri, Jan 11, 2013 at 09:33:17PM +0100, Benjamin Kramer wrote:<br>
>><br>
>> On 11.01.2013, at 21:31, Justin Holewinski<br>
>> <<a href="mailto:justin.holewinski@gmail.com">justin.holewinski@gmail.com</a>> wrote:<br>
>><br>
>>> On Fri, Jan 11, 2013 at 3:26 PM, Benjamin Kramer<br>
>>> <<a href="mailto:benny.kra@gmail.com">benny.kra@gmail.com</a>> wrote:<br>
>>><br>
>>> On 11.01.2013, at 07:36, ????????? (Wei-Ren Chen)<br>
>>> <<a href="mailto:chenwj@iis.sinica.edu.tw">chenwj@iis.sinica.edu.tw</a>> wrote:<br>
>>><br>
>>>> Hi Pawel,<br>
>>>><br>
>>>> PTX already be replaced with NVPTX. However, PTX subdirectory<br>
>>>> still sit in lib/Target in 3.2 release. Do you think update<br>
>>>> the release tarball is a good idea? Also could you remove it<br>
>>>> from the trunk?<br>
>>><br>
>>> Please do not, under no circumstances, change the 3.2 release<br>
>>> tarballs at this point. They are mirrored around the world now<br>
>>> with cryptographic hashes and signatures. Changing them will<br>
>>> break things for many people, especially for an extremely<br>
>>> minor thing like an empty directory.<br>
>>><br>
>>> I'm not sure if Pawel's tarball change should be reverted now<br>
>>> as it already caused uproar, so changing it back might only<br>
>>> make matters worse.<br>
>>><br>
>>> The tarballs were changed?<br>
>><br>
>> r172208<br>
><br>
> I finally updated the FreeBSD ports yesterday and today a user<br>
> complained about distfile changes. IMO, this revision should be<br>
> reverted or all the other BSDs will have to chase checksums as<br>
> well.<br>
><br>
> If you really want to remove the directory, ship a 3.2.1 tarball<br>
> rather than screwing all the downstream consumers who's<br>
> infrastructure exists to detect trojan'd tarballs.<br>
<br>
</div></div>Tarball is signed, it is not trjoan.<br>
Your infrastructure should be able to deal with it?<br></blockquote><div><br></div><div>Many of these environments rely on checking against a known-good checksum. If a tarball is replaced at the source, that checksum changes. Once a release is cut, that particular release should never change. If a change is necessary, some sort of point release (3.2.1) is preferable, so anyone wanting 3.2 still gets the old binary with the old checksum.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
><br>
> -- Brooks<br>
><br>
<br>
Paweł<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><br><div>Thanks,</div><div><br></div><div>Justin Holewinski</div>
</div></div>