[Buildroot] [PATCH 06/15 v2] package/luajit: use the git download for known-reproducible tarball

Wed May 1 21:19:23 UTC 2024

Arnout, All,

On 2024-05-01 22:53 +0200, Arnout Vandecappelle spake thusly:
> On 27/04/2024 20:37, Yann E. MORIN wrote:
> > Since version 2.1, LuaJIT follows a rolling-release scheme, which means
> > that any commit is as good as any other; LuaJIT uses the comitter's UNIX
> > timestamp as its semver patch level. It uses the git-attribute
> > export-subst for the .relver file that contains the %ct placeholderfor
> > git-archive to expand it.
> > 
> > We have had various instances of GitHub changing the way it generates
> > archives on the fly, and although it is hard to foresee a way the UNIX
> > timestamp could change (it's clearly defined as the number of seconds
> > elapsed since 1970-01-01T00:00:00Z), it's not inconceivable that GitHub
> > may decide to no longer expand the export-subst attributes in the
> > future...
> 
>  Although I don't really disagree with the principle, I think we should
> instead stop using github-generated tarballs entirely.

100% agreed. I was contemplating doing a mass conversion one of those
rainy days...

> Or, put differently:
> I think the risk of a github-generated tarball to change hash for _other_
> reasons is much higher than that it would stop expanding export-subst.

Yup, export-subst makes it only slightly more likely. :-]

>  So I will not apply this patch of the series.

This patch is mostly for correctness, and did fit with the purpose of
the series. But it is not strictly needed. So ACK.

Thanks!

Regards,
Yann E. MORIN.

>  Regards,
>  Arnout
> 
> > 
> > To avoid any confusion, and to be future-proof, switch over to using the
> > git download helper, which now has support for handling export-subst in
> > a reproducible way. Drop the post-extract hooks as they are not needed.
> > 
> > Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
> > Cc: Francois Perrad <fperrad at gmail.com>
> > Cc: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> > ---
> >   package/luajit/luajit.hash | 2 +-
> >   package/luajit/luajit.mk   | 3 ++-
> >   2 files changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/package/luajit/luajit.hash b/package/luajit/luajit.hash
> > index 578bb7a3e2..da243d8c2a 100644
> > --- a/package/luajit/luajit.hash
> > +++ b/package/luajit/luajit.hash
> > @@ -1,5 +1,5 @@
> >   # Locally calculated
> > -sha256  b518721280390e4cec1af30f6819d86756ce4234d82410a55a4e121855f64e08  luajit-41fb94defa8f830ce69a8122b03f6ac3216d392a.tar.gz
> > +sha256  df50bfe78919691ce9a630c8312386a8cb6ca49f327922a833e77656e82ef6c6  luajit-41fb94defa8f830ce69a8122b03f6ac3216d392a-br2.tar.gz
> >   # Locally calculated
> >   sha256  1130331ac861a4b4520e9c8ad0814efdc6f1e79ea55ea9c460c73733d13ccb5f  COPYRIGHT
> > diff --git a/package/luajit/luajit.mk b/package/luajit/luajit.mk
> > index 693e22630b..6b1c6b3386 100644
> > --- a/package/luajit/luajit.mk
> > +++ b/package/luajit/luajit.mk
> > @@ -5,7 +5,8 @@
> >   ################################################################################
> >   LUAJIT_VERSION = 41fb94defa8f830ce69a8122b03f6ac3216d392a
> > -LUAJIT_SITE = $(call github,LuaJIT,LuaJIT,$(LUAJIT_VERSION))
> > +LUAJIT_SITE = https://github.com/LuaJIT/LuaJIT
> > +LUAJIT_SITE_METHOD = git
> >   LUAJIT_LICENSE = MIT
> >   LUAJIT_LICENSE_FILES = COPYRIGHT
> >   LUAJIT_CPE_ID_VENDOR = luajit

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'