Did 3.12.0 get re-tagged? about lapack HOT 6 CLOSED

I do not understand enough to know what is requested. If someone can explain again, or take action, this would be great.

Package managers that can build from source (e.g., Homebrew, Spack, Portage...) save for each package release the hash of its source tarball. When building the software, the hash of the downloaded tarball is compared against the known hash and if it does not match, the build is immediately aborted for security reasons and an error message is shown to the user. To update the hash, the build error must be reported, the maintainers of the package manager will want to find out why the hash changed, and then they need to patch their own software if the hash changed for benign reasons.

Two suggested approaches for the future are...

• Do not re-release with the same version number.
• Do not silently re-release with the same version number and leave a note for package manager maintainers why the hash changed.

from lapack.

Hi @chenrui333. Yes it got retagged, and I just did it again, like a minute ago, we had an error in our "thanks". This is corrected now. Sorry about this. Thanks for checking. Julien.

from lapack.

no worries, thanks for confirming it, it would be nice to push a new version in either case. Thanks! :)

from lapack.

It might be a good idea to mention any such re-tagging on the Releases page if incrementing the version number is not desired. (And as I have learned, ideally download and re-upload the github-generated archives together with their checksums - sometimes github changes something in their toolchain that leads to re-generation of the automatically created archives with a new checksum). Some people, and especially the distribution packagers, use the archive checksum to ensure an official source package has not been tampered with - silent re-releases like this are likely to set off alarm bells somewhere.

from lapack.

I am not sure any longer that we are speaking about the same thing. I edited the release page, but I do not think any longer that this impacts the checksum. Yes, we might have changed the retagged / changed the checksum on Friday when we released. We realized that some documentation were not correctly updated. So I think we released and erased the release and released a second time. If something needs to happen, like releasing with a new version number (3.12.1), this is OK. I do not understand enough to know what is requested. If someone can explain again, or take action, this would be great.

from lapack.

Hi @christoph-conrads and @martin-frbg, thanks for explaining. We'll try to be better next time. Julien.

from lapack.