Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Install Issue #37

Closed
wiggins-philip opened this issue May 16, 2024 · 4 comments · Fixed by #38
Closed

New Install Issue #37

wiggins-philip opened this issue May 16, 2024 · 4 comments · Fixed by #38

Comments

@wiggins-philip
Copy link

Error: "YunoHost was able to download the asset 'main' (https://github.com/ajnart/homarr/archive/refs/tags/v0.15.3.tar.gz)\
\ for homarr, but the asset doesn't match the expected checksum.

Full log:
https://paste.yunohost.org/raw/juwijesuqe

@tituspijean
Copy link
Member

tituspijean commented May 16, 2024

The Homarr package for YunoHost was updated at 03:36 GMT+2 on 2024-05-08, while the v0.15.3 tag now has its assets timestamp at 16:06 on the same date, while the release is timestamped at 19:39.

So it looks like there was a sneaky update of the tag after a hotfix: ajnart/homarr#2043
(devs, @manuel-rw, don't do that, please... it rings all bells and whistles here, since we want to check for assets corruption or malicious actors😰)

I'll update the YunoHost package to fix that.


Please, if you post here on the forum and also in the app issues, mention it. 😉

@manuel-rw
Copy link

manuel-rw commented May 16, 2024

Hi,
sorry for any inconvinience that this has caused.
We are not aware of how downstream repositories are consuming our updates or how "sneaky" pushes could break them.
I apprechiate your effort in attempting to avoid malicous packages - it's common to see infected apps in many places.
As part of our major update to 1.0, we will strictly adhere to the conventional commit guidelines without exceptions.
This should get rid of such issues - we're currently not happy either how Homarr's tagging currently works.
We're also implementing test coverage using unit tests for 1.0 which should reduce regressions.

I want to reiterate; sorry for the trouble. I'm happy to provide assistance if you need it. Cheers 🙌

@tituspijean
Copy link
Member

No worries, it only took me a few minutes to understand what happened, and I totally understand the desire for a "clean and neat release"; though it can cause issues, like in this instance our automated updater had ran between the initial release and the hotfix. 😅

Cheers, and thank you for your work on Homarr! ❤️

@manuel-rw
Copy link

I'm glad that you were able to fix it.
Homarr's current architecture & pipeline is not up to standards anymore - we have tousands of instances and over 7 million image downloads.
We are working hard to make 1.0 improve on every level of that.
And using conventional commits, it should also be easier for you guys to detect breaking changes.

We do not directly interact with Yuno Host, but we're aware that many are using it.
So feel free to contact us again if you need help. I notified our other contributors about this incident and we will attempt to avoid sneaky pushes.

Cheers 👋

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants