Saturday, 8 September 2018

Ridiculous unusable download URLs for open source projects

I told myself (and everyone I know) that I wouldn't write another blog post until I moved the blog off Google Blogger, but I can't stay silent on this issue.

UPower, the open source power management software used on Linux (and I believe the *BSD family), has recently changed their download URLs. As the lead of Adélie Linux, I personally maintain a significant chunk of "core" desktop experience packages. We consider UPower to be one of those, because it is important to conserve energy whenever possible.

Today I was notified by Repology that UPower was out of date in Adélie. No big deal, I'll just bump it:

>>> upower: Fetching https://upower.freedesktop.org/releases/upower-0.99.8.tar.xz curl: (22) The requested URL returned error: 404 Not Found

"Hmm", I wondered to myself, "maybe this is a git snapshot package someone uploaded". It turns out it wasn't; Debian, Arch, and Fedora are all shipping 0.99.8 now. What gives?

I looked at Debian's packaging first, since they typically have a good hold on stability. I didn't even understand the change, though, so I looked up Exherbo's packaging and was horrified.

Instead of a simple URL, they are now using a GitLab Upload URL which contains an SHA-1 hash in the URL. That means all of our bump scripts can't work any more. Instead of simply typing a single abump command, for every release of UPower I will now have to:

  1. Open their GitLab instance in a Web browser, which isn't even installed on any of the staging computers to minimise security hazards:
  2. Wait for all the JavaScript and miscellaneous crap to load;
  3. Context-click the link for the UPower tarball;
  4. Copy the link;
  5. Connect to our staging system remotely from a computer with a Web browser installed;
  6. Open vim on the APKBUILD file for UPower;
  7. Paste the link into the source= line, replacing what is already there;
  8. And then run abuild checksum manually to update the sha512sum in the file.

WHY!? fd.o people, please, out of respect for us packagers that want to give your software to the people who need it, please use your /releases/ directory again!