versioned container testing
Brook Milligan
brook at nmsu.edu
Wed Nov 20 22:55:15 CET 2019
> On Nov 20, 2019, at 1:38 PM, Denis Bitouzé <dbitouze at wanadoo.fr> wrote:
>
> Brook said:
>
> The first time a pkgsrc bulk build happens (which is more or less
> daily), it will download foo-1.2.3.tar.xz from CTAN and verify the
> checksum.
>
> Wouldn't be possible for CTAN to provide the `foo-1.2.3.tar.xz.sha512'
> checksum file of `foo-1.2.3.tar.xz' next to the latter? Hence the pkgsrc
> bulk build could download only this `.sha512' instead of the possibly
> very large `.xz' and would save bandwith.
I believe you are suggesting an algorithm for pkgsrc to adopt that would involve downloading a TeXlive-provided hash to check the veracity of the TeXlive-provided *.xz file. That just begs the question, how does someone know to trust the TeXlive-provided hash? There must be information internal to pkgsrc, i.e., independent of TeXlive (at least after the package is made) that provides this information. As a consequence, anyone using the package will know that they have the same file that the package developer did, and the minimum number of downloads are guaranteed.
The problem with the long-standing approach to TeXlive is that checksums change, yet the filename does not reflect that. Thus, information claiming that foo.xz has a particular checksum is out of date once the file is regenerated, and a package user cannot be confident of having the same file as the developer. This causes needless churn and requires special handling for TeXlive packages. It also is at variance with a broad community of standard practice.
The solution being adopted, which encodes the version information in the name, allows a single checksum to forever apply to the same file (at least if TeXlive has reproducible means of creating files or only creates them once, which I believe is also part of the new process). It might be useful to also provide a hash file, but that is not necessary (and would not be used by pkgsrc if it were available).
This is a huge step forward, for which I thank Karl and everyone working on this. I am eager to see this go live, and appreciate your great care making sure no unforeseen issues arise with the switchover. Thanks for your efforts.
Cheers,
Brook
More information about the tex-live
mailing list