Checksums of packages produced GitLab CI/CD change over time making it impossible to build previous releases.
I was trying setup cross compilation using scripts/bootstrap.sh, I had checked out the tagged release v3.13.2, but the checksums of many packages no longer matched. Resulting in errors like the following:
>>> alpine-conf: Checking sha512sums...
alpine-conf-3.11.0.tar.gz: FAILED
sha512sum: WARNING: 1 of 1 computed checksums did NOT match
Because the remote file above failed the sha512sum check it will be renamed.
Rebuilding will cause it to re-download which in some cases may fix the problem.
Renaming: alpine-conf-3.11.0.tar.gz to alpine-conf-3.11.0.tar.gz.589278b8
Checking the checksum of the file at time of writing yields:
curl -s https://gitlab.alpinelinux.org/alpine/alpine-conf/-/archive/3.11.0/alpine-conf-3.11.0.tar.gz | sha512sum
3fc373836aa30a2193d76d2cccc50dddb95c21e1f3530bf0b841a815161fea287b9bbb1370d2d2616615448df7fa5791328e59903cf87907477846758c689c38 -
This file https://gitlab.alpinelinux.org/alpine/alpine-conf/-/archive/3.11.0/alpine-conf-3.11.0.tar.gz is changing its contents over time.
But if we check the APKBUILD file for this project the filename stays the same but the checksum changes
sha512sums="589278b8c4b4e87a670edda11292e93b27e21f0471749ee2e788bf620e6e957249ea1d80f44fed2600a6ed8d7943179dc2e21cd55ddcfbd8913359d0f590eb05 alpine-conf-3.11.0.tar.gz
Later corrected:
sha512sums="3fc373836aa30a2193d76d2cccc50dddb95c21e1f3530bf0b841a815161fea287b9bbb1370d2d2616615448df7fa5791328e59903cf87907477846758c689c38 alpine-conf-3.11.0.tar.gz
This is problematic in that only building of of master
has a chance at working, all previous tagged releases cannot be reliably built, which in turn means I cannot automate cross compliation as it is it can fail at any point in the future when these files are updated for newer releases but still use the same file name.
Is it expected that only the building on the HEAD of master is viable? Or could aports build system be change in such a way as to prevent this issue?