Bitcoin Forum
June 24, 2024, 08:59:33 AM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Source code releases are missing the fcgi submodule  (Read 320 times)
droark (OP)
Sr. Member
****
Offline Offline

Activity: 525
Merit: 282


View Profile WWW
November 01, 2017, 07:13:27 PM
 #1

Hello. A user PMed me and asked me to help them troubleshoot a compilation issue on macOS. It turns out that they were downloading ZIP files, which are missing the fcgi submodule. This appears to be a well-known GitHub bug that may never be fixed. The workaround is to put the source code up on the releases page, which I believe allows maintainers to control what gets uploaded as source. It turns out that the .zip and .tar.gz files on the releases page are also missing the fcgi submodule. This needs to be fixed. A quick Google search seems to indicate that maintainers can use a simple script to recursively download all submodules and then zip/tarball everything.

Thanks!
goatpig
Moderator
Legendary
*
Offline Offline

Activity: 3682
Merit: 1347

Armory Developer


View Profile
November 01, 2017, 08:25:04 PM
 #2

I've been pushing signed source since 0.96.2:

https://github.com/goatpig/BitcoinArmory/releases/download/v0.96.3.99/armory_0.96.3.99_src.tar.gz

That guy has no idea what he is doing therefor has no business building from a tarball. He should pull the signed tags and build from that. It is evident the github packaged source is useless: even if it carried the proper code (which it doesn't cause of git submodule shenanigans), the auto packaged source tarball IS NOT SIGNED. Github could shove anything they want in there. If he was checking sigs, he would have noticed that immediately.

droark (OP)
Sr. Member
****
Offline Offline

Activity: 525
Merit: 282


View Profile WWW
November 02, 2017, 12:06:29 AM
 #3

Ahhh, I think I see the problem. On the releases page, you see a bunch of files, along with "Source code (zip)" and "Source code (tar.gz)"). It's the source links that are bad. Your signed file, which appears to be complete, can be missed if somebody doesn't know what to download. If there's any way to include a note with the releases, it wouldn't hurt to mention that your signed file is the one people should get, and maybe in the README too. Annoying, I know, but GH doesn't seem too inclined to make this easy. :/

Anyway, I'll update some documentation and PR it. Thanks.
goatpig
Moderator
Legendary
*
Offline Offline

Activity: 3682
Merit: 1347

Armory Developer


View Profile
November 02, 2017, 02:31:56 AM
 #4

If there was a way to get rid of the auto github source, I'd like to know. It is still telling when someone grabs these files, tries to build and realize they don't work. Git submodules may be a blessing in disguise for these people, as they obviously did not check signatures on the tarball (there is none).

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!