Should new releases of phpList be downloaded from GitHub? Or from sourceforge?
I’m trying to download the latest version of phpList.
Because phpList still doesn’t sign its releases , users (like me!) do not have a way to authenticate the releases that we download before installing them on our servers.
After a previous (and concerning!) failure to 3TOFU, I noticed that phpList also has releases on GitHub:
I re-did the 3TOFU and obtained the following files
dfe441583f7f72b116c2f7db24821259df4fdc991ab52a7078ba3293729d71b9 phplist-3.6.15.tgz
fcbe14b2770832d2788f3a8a5c9c6c18b178bf069559ca30c947bac78ca51e19 phplist-3.6.15.zip
31e4a733aa481fe483f5513931d04607b14243b7f2cc2c3c210a6abe508e3265 v3.6.15.tar.gz
16c3bc98c6d4acd52478042b733c90ac8d64d31762b884856e6cf3c620b4b82e v3.6.15.zip
Extracting and recursive diffing each of these files (the ones named phplist-3.6.15 being from sourceforge and the ones named v3.6.15 being from GitHub) shows they’re identical. So the hash difference is only due to zip vs tgz.
However, the files on sourceforge and the files on GitHub do differ:
user@ose:~/tmp/hetzner3/3tofu3$ diff -r phplist-3.6.15-zip/phplist-3.6.15 v3.6.15-zip/phplist3-3.6.15/
Only in v3.6.15-zip/phplist3-3.6.15/bin: fake-sendmail.sh
Only in v3.6.15-zip/phplist3-3.6.15/bin: imgur-uploader.sh
Only in v3.6.15-zip/phplist3-3.6.15/bin: start-selenium
Only in v3.6.15-zip/phplist3-3.6.15/: composer.json
Only in v3.6.15-zip/phplist3-3.6.15/: composer.lock
Only in v3.6.15-zip/phplist3-3.6.15/: default.behat.yml
Only in v3.6.15-zip/phplist3-3.6.15/: .dotgitlab-ci.yml
Only in v3.6.15-zip/phplist3-3.6.15/: .github
Only in v3.6.15-zip/phplist3-3.6.15/: .gitignore
Only in v3.6.15-zip/phplist3-3.6.15/: .gitmodules
Only in v3.6.15-zip/phplist3-3.6.15/: .gitsvnextmodules
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin: help
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin: info
diff -r phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/init.php v3.6.15-zip/phplist3-3.6.15/public_html/lists/admin/init.php
11c11,44
< define("VERSION","3.6.15");
---
> //## remove on rollout ###
> if (is_file(dirname(__FILE__).'/../../../VERSION')) {
> $fd = fopen(dirname(__FILE__).'/../../../VERSION', 'r');
> while ($line = fscanf($fd, '%[a-zA-Z0-9,. ]=%[a-zA-Z0-9,. ]')) {
> list($key, $val) = $line;
> if ($key == 'VERSION') {
> $version = $val;
> }
> }
> fclose($fd);
> } else {
> $version = 'dev';
> }
>
> if (!defined('VERSION')) {
> if (!ini_get('open_basedir') && is_dir(dirname(__FILE__).'/../../../.git')) {
> define('VERSION', $version.'-dev');
> define('DEVVERSION', true);
> } else {
> define('VERSION', $version);
> define('DEVVERSION', false);
> }
> } else {
> define('DEVVERSION', false);
> }
>
> if (empty($GLOBALS['commandline']) && isset($GLOBALS['developer_email']) && $_SERVER['HTTP_HOST'] != 'dev.phplist.com' && !empty($GLOBALS['show_dev_errors'])) {
> error_reporting(E_ALL);
> ini_set('display_errors', 1);
> foreach ($_REQUEST as $key => $val) {
> unset($$key);
> }
> }
> //## end remove on rollout ###
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: campaignslicer.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CaptchaPlugin
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CaptchaPlugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CKEditorPlugin
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CKEditorPlugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: Common
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CommonPlugin
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: CommonPlugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: COPYING.txt
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: dateplaceholder.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: disposablemailblock.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: domainthrottlemap.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: embedremoteimages.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: inviteplugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: SegmentPlugin
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: SegmentPlugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: subjectLinePlaceholdersPlugin.php
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: UpdaterPlugin
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/plugins: UpdaterPlugin.php
diff -r phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/structure.php v3.6.15-zip/phplist3-3.6.15/public_html/lists/admin/structure.php
16c16
< define('STRUCTUREVERSION',"3.6.15");
---
> define('STRUCTUREVERSION', 'dev');
Only in v3.6.15-zip/phplist3-3.6.15/public_html/lists/admin: tests
Only in v3.6.15-zip/phplist3-3.6.15/public_html/lists/admin/ui: default
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/admin/ui: phplist-ui-bootlist
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists: base
diff -r phplist-3.6.15-zip/phplist-3.6.15/public_html/lists/config/config.php v3.6.15-zip/phplist3-3.6.15/public_html/lists/config/config.php
35,38c35
< define('PHPMAILERHOST', 'localhost');
< define('PHPMAILERPORT',2500);
< define('PHPMAILER_SECURE',false);
<
---
> define('PHPMAILERHOST', '');
44c41
< define('TEST', 0);
---
> define('TEST', 1);
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists: texts
Only in phplist-3.6.15-zip/phplist-3.6.15/public_html/lists: updater
Only in v3.6.15-zip/phplist3-3.6.15/: scripts
Only in v3.6.15-zip/phplist3-3.6.15/: TESTING.md
Only in v3.6.15-zip/phplist3-3.6.15/: tests
Only in v3.6.15-zip/phplist3-3.6.15/: Vagrantfile
user@ose:~/tmp/hetzner3/3tofu3$
Can someone explain to me:
- What these differences are?
- Why these differences exist?
- Do these differences matter (ie: can either be used to install in prod)?
- Where should we be downloading releases from? Sourceforge or GitHub? And why?