Udi Fuchs <udifuchs@...> writes:
Since this didn't seem likely to get resolved correctly, I have used
DIST_SUBDIR in pkgsrc, which lets a recorded hash be associated with a
(local) storage location. This ensures that the old copy (same name,
different bits) will not be checked for hash corectness and fail.
I get it that the offiical mirrors all have only the new version. The
issue is that users (and packaged build systems) had downloaded the old
> Anyway, the damage is already done, so there is no point in releasing
> 0.19.3 now.
Not quite; the point of 0.19.3 is that once that is released all
packaging systems can update to it and the confusion about 0.19.2
becomes no longer relevant.
From my end, I've worked around this in pkgsrc, so it's not bothering me
any more. But in general I think all projects should adhere to a
named-tarballs-never-ever-change policy, partly for this, and partly to
avoid security false alarms.