Arch Linux User Repository

@alzeih Version 2.4.15.5 was released (how would I have generated checksums if it wasn't) but later pulled (I have no idea why). This project doesn't release tags that are not also releases, so the difference is immaterial. Sometimes projects forget to post releases even after they tag, and I find it's useful to get notified of that. That's minor though. Obviously with our current source use we're using generated sources, so monitoring just releases is fine.

The bigger issue is that you just reset checksums for a release without explaining why. This only happens when upstream re-tags an existing release. This should never be done anyway and if a project does it, the checksum should not be updated until it is reported upstream and why it was retagged and what changed is evaluated. The chances of a release artifact being changed to be malicious after release are exponentially higher than the initial post, and the checksums is specifically there to guard against that.DO NOT just update them without also posting research on why it happened. Arch's model is "trust on first use", not "just trust any changes that happen after that".

@snack Thanks for reporting. Not sure why the hash was incorrect, but it should now be fixed.

@alerque I've also updated the .nvchecker.toml to use releases, not tags. 2.4.15.5 was a tag, not a release, so the link used in the package for 2.4.15.5-1 was broken. I've also added a .nvchecker.toml to dependency cjose using releases, not tags.

The update to 2.4.15.6-1 fails the sha256sums check on my system (using yay):

==> Making package: mod_auth_openidc 2.4.15.6-1 (ven 15 mar 2024, 09:16:03)
==> Retrieving sources...
  -> Downloading mod_auth_openidc-2.4.15.6.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  647k  100  647k    0     0   663k      0 --:--:-- --:--:-- --:--:-- 8298k
==> WARNING: Skipping verification of source file PGP signatures.
==> Validating source files with sha256sums...
    mod_auth_openidc-2.4.15.6.tar.gz ... FAILED
==> ERROR: One or more files did not pass the validity check!
 -> error downloading sources: /tmp/yay/mod_auth_openidc 
         context: exit status 1 

@alzeih The new version works, thank you.

@snack the GitHub url has changed to to https://github.com/OpenIDC/mod_auth_openidc , and the download url has an extra "v".

Package has been bumped to 2.4.14.2-2 which should fix the 404.

Updating to 2.4.14.2-1 with yay I get this error:

==> Retrieving sources...
  -> Downloading mod_auth_openidc-2.4.14.2.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     9    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 404
==> ERROR: Failure while downloading https://github.com/zmartzone/mod_auth_openidc/releases/download/2.4.14.2/mod_auth_openidc-2.4.14.2.tar.gz
    Aborting...
 -> error downloading sources: /tmp/yay/mod_auth_openidc 
         context: exit status 1 

And now 2.4.9.4.

I'm going to file an orphan request so I can keep this more up to date, but I'd be happy to co-maintain it too if you're watching.

Since my last OOD flag 2.4.9.3 is also out. If you're interested in adding me as a co-maintainer I can help keep this up to date. I may eventually move it to [community] too if it gets another few votes.