Was 0.7.2 retagged? #1134
Comments
|
Hi @SMillerDev. Thanks for bringing this to our attention. Cog v0.7.2 was generated by CI/CD automation on May 23, 2023 at 03:21 PDT. https://github.com/replicate/cog/releases/tag/v0.7.2. To my knowledge, this was the one and only time that the release step of that workflow ran for a tag with that name. The Homebrew formula for Cog was bumped to v0.7.2 on May 23, 2023 at 05:32 AM PDT by this commit. The SHA256 hash $ curl -LO https://github.com/replicate/cog/archive/refs/tags/v0.7.2.tar.gz
$ shasum -a 256 v0.7.2.tar.gz
bce8bcedefafdd7ebd498b9f94eead6d2c9586ae36cf6e8c1dcaab8d15927505
$ openssl sha256 < cog-0.7.2.tar.gz
bce8bcedefafdd7ebd498b9f94eead6d2c9586ae36cf6e8c1dcaab8d15927505For what it's worth, the recorded SHA256 for 0.7.1 seen in that diff is also different from what I calculate locally, so I find the more likely explanation to be that these differences are systemic rather than particular to these releases. I'll look into Homebrew's implementation to better understand what's going on. In the meantime, if you're concerned about the integrity of the Cog release provided by Homebrew, I'd encourage you to checkout the code and build from source: $ curl -LO https://github.com/replicate/cog/archive/refs/tags/v0.7.2.tar.gz
$ tar -xzvf v0.7.2.tar.gz
$ cd v0.7.2
$ [sudo] make installI've also gone ahead and configured tag protection for this GitHub repo to ensure that tags remain durable and constant going forward. |
It seems you're right and that is unfortunately in line with things I've seen before with GitHub generated tarballs.
That is great, thanks for the reassurance. |
|
Fixed in #1522 |
Homebrew recorded an SHA256 hash for cog 0.7.2 on May 23rd but downloading the file today gives a different hash.
The git manual says re-tagging is "the insane thing" to do so I just want to make sure this was intentional and not a compromised download.
The text was updated successfully, but these errors were encountered: