Bug 242329

Summary: GitLab doesn't seem to require GL_COMMIT any more
Product: Ports & Packages Reporter: Yuri Victorovich <yuri>
Component: Ports FrameworkAssignee: Port Management Team <portmgr>
Status: Closed DUPLICATE    
Severity: Affects Only Me CC: dave, jbeich, ports-bugs, saper, tcberner
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Yuri Victorovich freebsd_committer freebsd_triage 2019-11-30 23:08:01 UTC 
The framework prints: GL_COMMIT is a required 40 character hash for use USE_GITLAB

But the tarball URL doesn't contain commit any more.
Now 
> MASTER_SITES=https://gitlab.com/${PORTNAME}/${PORTNAME}/-/archive/${DISTVERSIONFULL}/
is sufficient.

Testcase: port audio/zrythm
Comment 1 Jan Beich freebsd_committer freebsd_triage 2019-12-01 10:32:16 UTC 
Looks like ${GL_COMMIT} is stripped if archive name matches ${GH_PROJECT}-${GH_TAGNAME} e.g.,

$ fetch https://code.videolan.org/videolan/dav1d/-/archive/0.5.1/dav1d-0.5.1.tar.gz
$ tar tvf dav1d-0.5.1.tar.gz
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-0.5.1/

$ fetch https://code.videolan.org/videolan/dav1d/-/archive/0.5.1/0.5.1.tar.gz
$ tar tvf 0.5.1.tar.gz | head -1
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-0.5.1-bb160f09fa7ad132f4b6a014ac8e168b913ee3ab/

$ fetch https://code.videolan.org/videolan/dav1d/-/archive/bb160f0/dav1d-bb160f0.tar.gz
$ tar tvf dav1d-bb160f0.tar.gz | head -1
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-bb160f0/

$ fetch https://code.videolan.org/videolan/dav1d/-/archive/0.5.1/foo.tar.gz
$ tar tvf foo.tar.gz
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-0.5.1-bb160f09fa7ad132f4b6a014ac8e168b913ee3ab/

$ fetch https://code.videolan.org/videolan/dav1d/-/archive/bb160f0/bar.tar.gz
$ tar tvf bar.tar.gz
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-bb160f0-bb160f09fa7ad132f4b6a014ac8e168b913ee3ab/

$ fetch -o qux.tar.gz https://code.videolan.org/videolan/dav1d/-/archive/bb160f0/dav1d-0.5.1.tar.gz
$ tar tvf qux.tar.gz
drwxrwxr-x  0 root   root        0 Oct 25 19:38 dav1d-bb160f0-bb160f09fa7ad132f4b6a014ac8e168b913ee3ab/
Comment 2 Yuri Victorovich freebsd_committer freebsd_triage 2019-12-01 15:34:46 UTC 
https://gitlab.com doesn't accept URLs with hashes as the FreeBSD framework constructs them, and ports become unfetchable. But other GitLab installations work as before and do accept hashes.
Comment 3 David Griffith 2020-03-31 18:40:55 UTC 
Poking around at Gitlab's website, I find that this works to download a tarball of an arbitrary commit:

https://gitlab.com/${GL_ACCOUNT}/${PORTNAME}/-/archive/${GL_COMMIT}/${PORTNAME}-${GL_COMMIT}.tar.gz

You can substitute ${PORTVERSION} for ${GL_COMMIT} in the above URL and it also works.  The file size for a downloaded tarball using ${PORTVERSION} differs from the same tarball (contents anyways) obtained by using ${GL_COMMIT}.

This difference in file sizes is causing me some confusion because the file deposited in /usr/ports/distfiles has a different filesize from what I get by using git-archive(1) or what NetBSD downloads for use with pkgsrc.  I'm not sure how relevant this is, but I was pointed to this bug from https://lists.freebsd.org/pipermail/freebsd-ports/2020-March/118073.html
Comment 4 Marcin Cieślak 2020-04-03 12:26:06 UTC 
David - I have tried to fetch three URLs:

https://gitlab.com/DavidGriffith/frotz/-/archive/2.51/frotz-2.51.tar.gz
https://gitlab.com/DavidGriffith/frotz/-/archive/73eec90ebb159ed687b74cbaf81e135c3e7e390b/frotz-73eec90ebb159ed687b74cbaf81e135c3e7e390b.tar.gz
https://gitlab.com/DavidGriffith/frotz/-/archive/73eec90ebb159ed687b74cbaf81e135c3e7e390b/frotz.tar.gz

I get two different files:

SHA1 (frotz-2.51.tar.gz) = 54aa50d36b6ae402d063c0fb64e990e50557ed1e
SHA1 (frotz-73eec90ebb159ed687b74cbaf81e135c3e7e390b.tar.gz) = 07620780e46fc23160f60c4f0b7e0a4edaad4e7e
SHA1 (frotz.tar.gz) = 07620780e46fc23160f60c4f0b7e0a4edaad4e7e

The difference is in the directory name:

for i in frotz*.tar.gz; do echo -n "$i "; tar tf "$i" | grep 'frotz-[^/]*/$'; done

frotz-2.51.tar.gz frotz-2.51/
frotz-73eec90ebb159ed687b74cbaf81e135c3e7e390b.tar.gz frotz-73eec90ebb159ed687b74cbaf81e135c3e7e390b/
frotz.tar.gz frotz-73eec90ebb159ed687b74cbaf81e135c3e7e390b/

Asking for a branch name (like "master") will cause the directory to be named like this:

frotz-master-cfa5a316f3acd0aad9828d2d49c82710ccae0cf9/

Therefore the sizes and the hashes have to be different...
Comment 5 Jan Beich freebsd_committer freebsd_triage 2022-02-13 11:54:58 UTC 
GL_COMMIT blocks portscout version probing, exacerbated by https://gitlab.com/gitlab-org/gitlab/-/issues/267523 Currently, the only way to detect new versions on GitLab-hosted projects is via Repology or out-of-band (*-announce@ list, IRC, Twitter, Reddit, etc). This makes it easy to miss security/stability releases by maintainers with many ports (out-of-band doesn't scale for >100 ports due to noise).
Comment 6 Tobias C. Berner freebsd_committer freebsd_triage 2022-09-07 16:51:44 UTC 

*** This bug has been marked as a duplicate of bug 248967 ***
Comment 7 Jan Beich freebsd_committer freebsd_triage 2022-09-07 17:12:45 UTC 
This one is older than bug 248967 and comment 3 here provides a partial fix. Once GL_COMMIT accepts non-full hash (abbreviated or refname) it'd be similar to GH_TAGNAME (in USE_GITHUB). Obviously, a proper fix would require a tree-wide cleanup (sweeping change) or a transitional period when GL_COMMIT is either missing or not equal to 40 hexadecimal digits.