-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ccemux: mark broken (download fails hash validation) #272193
Conversation
@@ -64,5 +64,6 @@ stdenv.mkDerivation rec { | |||
sourceProvenance = with sourceTypes; [ binaryBytecode ]; | |||
license = licenses.mit; | |||
maintainers = with maintainers; [ CrazedProgrammer viluon ]; | |||
broken = true; # download of CCEmuX-cct.jar fails hash validation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we update hash ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I don't use this software I am not qualified to decide if that's safe.
Usually the best course here is to mark the package as broken
and if nobody steps up, let the package get garbage-collected. If somebody does step up to audit the mysteriously-changed binary jarfile, and wants to take the reputational risk upon themselves, more power to them!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe @viluon can have a look ( last committer ), otherwise I agree with your assessment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @amjoseph-nixpkgs . My nitpick is to open a tracking issue and reference it. So discussions of fixing that package happens in that issue. And add the day the breakage is being reported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Upstream doesn't do version control on binaries AFAIK. The maintainer will have to be on top of version bumps to avoid this issue from happening. I don't use Nix, so I don't know if this is an option (probably isn't), but it may also be necessary to skip checking hashes to avoid breakages between updates.
Disregard this, I've been corrected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nah, see CCEmuX/CCEmuX#167. Thanks @kirillrdy for the mention.
Per @SquidDev's response, it should be safe to just update the hash, although the package will remain flaky. I agree that a full Nix build would be better, maybe the original packager @CrazedProgrammer has tried this in the past? I've had little luck with Gradle builds in Nix myself, but maybe this is a simple enough project that it could work. |
This package's FOD fails hash validation.