New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poly2tri-c: updated github repo source location to another mirror #109812
Conversation
This breaks the current release (20.09) too, so should be backported if it's accepted. |
@nickfraser did you check if the hash changed? |
@SuperSandro2000, I did not, but it does build. I assumed it would fail if the hash didn't match the one provided. How do I calculate the hash? I tried the following:
which is different from the hash provided in |
I used this command and got the same hash:
|
@SuperSandro2000 @nickfraser The way the sources were swapped here is problematic imo. The new GitHub repo isn't just a mirror, but a new upstream, which could author malicious releases in the future. There seems not to be any trust relationship between the original project and the new repo here. Given that the project seems to be not under development anymore I'd suggest to
I'm aware that we can't provide very strong guarantees about authorship in Nixpkgs. But just changing Also pinging the Nixpkgs maintainer @jtojnar here. |
The new repo does not look active either. It just contains the same stuff google code exporter spat out. And I would not particularly trust the original repo either (even if it was owned by the original author) – people do get hacked occasionally. If it is updated in the future, hopefully ofborg will ping me and I will do at least a brief code audit. Or maybe GEGL will move on to a maintained library before then. Upstream issue related to this: https://gitlab.gnome.org/GNOME/gegl/-/issues/214#note_1002908 |
The author being hacked and having a PR with malicious code submitted (no offense nickfraser, its just for the sake of the argument) are very different thread models. We can't do anything about the first one. As you already made a fork on gitlab.gnome.org, maybe we could just use that one? |
No offense taken.
That applied to the previous repository as well. My goal was to merely put this library back into a working state, with the hash the same to ensure the PR didn't introduce any new breaking changes. I agree with all the points made above. |
@nickfraser Yeah I also somewhat expected that the old repo wasn't trusted as well. Nice to have a working src again. I opened another PR to use @jtojnar's fork. Backported in 2132156. |
… Nixpkgs maintainer See also: https://gitlab.gnome.org/GNOME/gegl/-/issues/214#note_1002908 #109812 (cherry picked from commit b193bc7)
Motivation for this change
Old mirror no longer exists - returns 404 error. Other mirrors also exist on github which could also be used.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)