0.22.0 release

[chenrui333]

ISSUE TYPE

• Bug Report
• Feature Idea

BUG REPORT

SUMMARY

👋 Looks like the 0.22.0 release did not get completed, thanks!

relates to Homebrew/homebrew-core#125542

[github-actions]

Thanks for opening your first issue here! Be sure to follow the issue template!

[chenrui333]

cc @genevieveluyt

[chenrui333]

It would be good to not re-tag the release as well.

relates to:

• kubeaudit 0.22.0 Homebrew/homebrew-core#126306
• kubeaudit 0.22.0 Homebrew/homebrew-core#125542

[genevieveluyt]

Hi @chenrui333 I'm actually not sure we can complete the release in the state it was tagged. I think we may need to skip that version and release the next version with the new release process. @chenrui333 is that a problem for brew? @dani-santos-code wdyt?

[felipeng]

Not sure if is related, but for me the latest version 0.22.0 is not working but 0.21.0 is:

/tmp # uname -m
x86_64
/tmp # wget https://github.com/Shopify/kubeaudit/releases/download/v0.22.0/kubeaudit_0.22.0_linux_amd64.tar.gz
Connecting to github.com (192.30.255.112:443)
Connecting to objects.githubusercontent.com (185.199.110.133:443)
saving to 'kubeaudit_0.22.0_linux_amd64.tar.gz'
kubeaudit_0.22.0_lin 100% |*****************************************************************************************************************************************************************| 9724k  0:00:00 ETA
'kubeaudit_0.22.0_linux_amd64.tar.gz' saved
/tmp # tar -zxf kubeaudit_0.22.0_linux_amd64.tar.gz 
/tmp # ./kubeaudit
sh: ./kubeaudit: not found
/tmp # rm -rf *
/tmp # wget https://github.com/Shopify/kubeaudit/releases/download/v0.21.0/kubeaudit_0.21.0_linux_amd64.tar.gz
Connecting to github.com (192.30.255.112:443)
Connecting to objects.githubusercontent.com (185.199.110.133:443)
tsaving to 'kubeaudit_0.21.0_linux_amd64.tar.gz'
kubeaudit_0.21.0_lin 100% |*****************************************************************************************************************************************************************| 9604k  0:00:00 ETA
'kubeaudit_0.21.0_linux_amd64.tar.gz' saved
/tmp # tar -xvf kubeaudit_0.21.0_linux_amd64.tar.gz 
README.md
kubeaudit
/tmp # ./kubeaudit version
0.21.0

[ZhongRuoyu]

is that a problem for brew?

Sort of, and I assume that it's likely the same for many other downstream packagers.

Often, we build a new version of a package when we see a new tag comes out. And it confuses us when the tag is pulled, modified, and republished later, because we'll see the change in the source artifact's checksum. In those cases we'll have to confirm with upstream maintainers to see if that's intentional. There can be good cases, where the retagging was just a consequence of an oversight; but there can also be bad ones, where the source repository gets compromised somehow. And we'll need to wipe out the chance of the latter.

Also, as mentioned in Git's documentation, re-tagging is an "insane thing" that's strongly discouraged, because tags are meant to be final once they are published. A recommended way would be, as you and also the docs have mentioned, to publish a new version (i.e. tag) instead. (Or if you're just unsure if CI works -- it would be nice to have some other ways to test it, like doing it in a fork.)

I see that the tag v0.22.0 was pulled and republished several times. So, with that said, could we get your confirmation that the tag v0.22.0 published on https://github.com/Shopify/kubeaudit/releases/tag/v0.22.0 (currently pointing to commit 538937d) is legitimate and final? (See also #569.)

Thanks! We appreciate all your great work maintaining the kubeaudit project. ❤️

[chenrui333]

close via the recent releases