GNU bug report logs - #21784
xz-5.0.4.tar.gz is unavailable upstream

Previous Next

Full log

Message #63 received at 21784 <at> debbugs.gnu.org (full text, mbox):

From: Lasse Collin <lasse.collin <at> tukaani.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 21784 <at> debbugs.gnu.org
Subject: Re: Old XZ tarballs
Date: Sat, 31 Oct 2015 20:29:08 +0200

On 2015-10-30 Ludovic Courtès wrote:
> Lasse Collin <lasse.collin <at> tukaani.org> skribis:
> > For some reason the old XZ Utils versions are more popular downloads
> > than the latest versions (5.0.8 and 5.2.2). Perhaps I should move
> > the downloads somewhere else to avoid bandwidth quota issues,
> 
> Some people move old tarballs to an old/ sub-directory, to make sure
> people do not mistakenly take an old version.  I don’t know if that
> would help here?

I don't like to break links intentionally. I know I did exactly that a
few days ago, but it cannot be the long-term solution. The links to old
versions are on a separate page already, so those using a web browser
are unlikely to get an old version by accident.

> > but on the other hand I feel that it's not nice if source-based
> > distributions rely on upstream servers instead of providing their
> > own distro-specific mirrors. If you think this isn't a reasonable
> > wish, feel free to say so.
> 
> Guix does automatically mirror tarballs via its “substitute”
> mechanism. However, users can turn it off, in which case they end up
> downloading the tarball from the upstream URL specified in the
> package recipe.

OK. :-) Why would users turn it off though? I would guess that one good
mirror would be more reliable than dozens of upstream sites of which
just one needs to be down to be a problem for a user. A package manager
should know the hash or signature of the file, so from security point
of view it doesn't matter where the file comes.

Note that I have nothing against including the upstream URL in the
build scripts. I just wish that it doesn't cause a *large* number of
users downloading the file from the upstream instead of distro's
mirror. To be fair, xz-5.0.4.tar.gz hasn't been a popular download
(xz-5.0.4.tar.bz2 is somewhat popular though), so I believe Guix users
haven't caused a significant amount of traffic for me. :-)

> > By the way, is there a reason why you use 5.0.4 instead of 5.0.8 (or
> > even 5.2.2)?
> 
> No good reason!  We’ll upgrade it as soon as this can be done without
> triggering too much rebuild/redownloads for users.

API/ABI is backward compatible so one shouldn't need to rebuild other
packages. There's a mailing list "xz-announce" in case you want a
notification when a new version is released:
<http://tukaani.org/xz/lists.html>

-- 
Lasse Collin  |  IRC: Larhzu @ IRCnet & Freenode

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.