Simplenote-electron: Don't silently modify release files

Created on 2 May 2018  路  3Comments  路  Source: Automattic/simplenote-electron

It appears that the latest .deb release file (https://github.com/Automattic/simplenote-electron/releases/download/v1.1.3/Simplenote-linux-1.1.3.deb) has been modified at least twice since it was published, resulting in the community Archlinux package for simplenote breaking at times since the checksum changes. See https://aur.archlinux.org/packages/simplenote-electron-bin/ for reference.

Curious to know if this has been intentional - if so, please consider not clobbering published files (it's bad for user experience and trust); if not, perhaps something malicious has been tampering with your releases?

picture swalladge
👍4

All 3 comments

Same comment here, this is an issue, we generally prefer building from source rather than using the binary. If in addition the package is changing unexpectedly and with no proper log and tracking we may have to stop supporting simplenote-electron in it binary form for security reasons.

kewlfft picture kewlfft on 2 May 2018
👍1

Not only is this disconcerting, but by not bumping the version number in some way, simply replacing the package will not cause users/package managers to update to the new package, so you end up with people running some mix of the various package variants. Depending on what has been changed, this may or may not lead to difficult-to-debug issues.

alexforencich picture alexforencich on 14 May 2018

Thanks for flagging this. We'll keep this in mind!

mirka picture mirka on 21 Sep 2018
😕1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

RCDCL5 picture RCDCL5  路  3Comments
moniuch picture moniuch  路  3Comments
rachelmcr picture rachelmcr  路  3Comments
Sushubh picture Sushubh  路  4Comments
rbreaves picture rbreaves  路  3Comments