#Bootstrap fun: #libassuan upgraded its symbols separately from its #soname in a patch-level release (with several months in between!) On #ArchLinux we had upgraded to the weird version that has a soname change but no symbol change. Since #pacman requires the library transitively via #gpgme, there now is no clean way to upgrade this without patching all consumers in some intermediate step. 🗑️ 🔥 (The staging build environment would otherwise have a broken pacman and thus not be functional).
Maximum Chaos im #ICE2949 als Ersatz für #ICE759: Bekomme Mails dass meine #Sitzplatzreservierung übertragen wurde, im Zug allerdings diverse reservierte Sitzplätze (von anderen Zügen die auch mit diesem zusammengelegt wurden?!). Zugbegleitung sagt es gäbe keine Platzreservierung. Kaum verwirrend 👌
Will frame "I don't count it that way" for whenever there need to be thousands of lines of arbitrary changes made to the build system of a widely used project on a weekly basis in one dump commit.
Obfuscation of other changes? High complexity? No reproducibilty because you use a custom #autotools 2.13 fork?
Just say "I don't count it that way" and the problem will disappear! If it doesn't, pair with "I have done it like this since the 90s" for extra effect. 😘👌
"Yo 🐶 , I heard you like packages, so I put packages in your package... and if I can't download them I'll build them from untrusted and unverified sources in arbitrary versions instead..." 😬
When shit gets stolen from your basement (again) because your "landlord" still has not fixed a door to be less unsafe from the last time there was a break-in.
It seems #juce moved modules/juce_audio_plugin_client/utility/juce_CreatePluginFilter.h to modules/juce_audio_plugin_client/detail/juce_CreatePluginFilter.h between 7.0.5 and 7.0.7... (this of course breaks builds...)
Come on... at least bump the minor version for something like this... 🙄 Stuff based on juce is already terrible to maintain as is. It doesn't have to be made even harder by something like this.
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile #reproduciblebuilds is now broken for those packages.