On Tue, Nov 13, 2012 at 10:00 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Dave Cramer <pg@fastcrypt.com> writes: > Tom, > I've fixed the tar file.
Um ... you just replaced the tar file with another one of the same name? That's going to cause a lot of confusion.
[ downloads and takes a look... ] What's worse, the contents of the tarballs aren't the same --- it looks like this is a slightly newer snapshot than what was in the old tarball. Which means it doesn't correspond to the sources that were used to build the published jar files.
I think you've just converted a minor annoyance into a major disaster. When I package a Red Hat or Fedora package, there are automated cross-checks that verify that the tarball I provide matches bit-for-bit what can be downloaded from the upstream URL I claim to have got it from. I imagine other distros have similar checks. You just broke that --- as of now, the package I finished making a few hours ago will fail verification.
I think you should either go back to the previous tarball for now, or repackage this as a "1002" build. It's too late to be changing the published tarball for build 1001.
