Hosting binary 'source' tarballs

A while ago I have packaged Softmaker Office and FreeOffice, both are closed source, but are pretty useful (as least to me) because they have fairly good Office compatibility. The derivations work fine, except that they break regularly, because the source tarballs are replaced. E.g., at some point the release version is 972 with the corresponding download URL

https://www.softmaker.net/down/softmaker-office-2018-972-amd64.tgz

Then then Softmaker Office is updated, and not only do they release a new tarball such as:

https://www.softmaker.net/down/softmaker-office-2018-974-amd64.tgz

But the previous version’s tarball is 301-redirected to the new version. Of course, this breaks the derivation until the hash is updated. I asked about this, and they seem to do redirections because people click on links in older release emails:

https://forum.softmaker.com/viewtopic.php?f=320&t=19327&p=63557&hilit=nixos#p63557

They suggest hosting the source tarballs ourselves to avoid that hashes change. Is such a facility available?

Well, there is http://tarballs.nixos.org/ but not sure that’s actually intended for non-free software, as that could easily violate licences.

1 Like

There are some derivations where archive.org is leveraged, such as https://github.com/NixOS/nixpkgs/blob/0d7ca4ff088a55fd53825b9518e868b3e6d9ba33/pkgs/applications/networking/instant-messengers/skypeforlinux/default.nix#L64 - maybe that’s an option.

That’s a nice idea, though I guess for new releases one would have to wait some time before they become available?

Another option that I have considered is asking them if we could use GitHub releases. I could make a new repository, commit/tag some metadata, and upload the releases. This is e.g. how spaCy distribute models.

Yeah, that could work. The question is mostly of trust - if upstream already provides binary blobs for sth, it would be nicer to not have the need to trust some additional third party (in this case you, also depends on whether the tarballs are signed or not and the license). The archive.org workaround was mostly due to license and trust.

memtest86 falls into this category as well:

For one of my derivations i used the ability to upload packages onto archive.org ( https://git.shackspace.de/rz/stockholm/blob/master/krebs/5pkgs/simple/fortclientsslvpn/default.nix#L15 ). This could also be used if the webspace is rejecting the archive.org bot or the file is too large for scraping.

Similarly, I’ve got a derivation for the Obsidian X cursor theme, since it’s a solid theme and I was missing it from Gentoo. The OpenDesktop sites used to allow direct downloading, but they seem to have stopped, and an email I sent to them went unanswered. The package itself is derived from another GPLv2+ theme so hosting it isn’t a problem legally. Is there a service for cases like this? Is this tarballs.nixos.org?

(Of course, I’m scratching a personal itch here, I’d understand if we don’t want tons of random themes in Nixpkgs.)