spack checksum gives incorrect sha256 when discovering versions by itself

[mdorier]

Steps to reproduce the issue

$ spack checksum pmdk
==> Found 11 versions of pmdk:

  1.11.0-rc2  https://github.com/pmem/pmdk/releases/download/1.11.0-rc2/pmdk-1.11.0-rc2.tar.gz
  1.11.0-rc1  https://github.com/pmem/pmdk/releases/download/1.11.0-rc1/pmdk-1.11.0-rc1.tar.gz
  1.11.0      https://github.com/pmem/pmdk/releases/download/1.11.0/pmdk-1.11.0.tar.gz
  1.10-rc1    https://github.com/pmem/pmdk/releases/download/1.10-rc1/pmdk-1.10-rc1.tar.gz
  1.10        https://github.com/pmem/pmdk/releases/download/1.10/pmdk-1.10.tar.gz
  1.9.2       https://github.com/pmem/pmdk/releases/download/1.9.2/pmdk-1.9.2.tar.gz
  1.9.1       https://github.com/pmem/pmdk/releases/download/1.9.1/pmdk-1.9.1.tar.gz
  1.9         https://github.com/pmem/pmdk/releases/download/1.9/pmdk-1.9.tar.gz
  1.8.1       https://github.com/pmem/pmdk/releases/download/1.8.1/pmdk-1.8.1.tar.gz
  ...
  1.5         https://github.com/pmem/pmdk/archive/1.5.tar.gz

==> How many would you like to checksum? (default is 1, q to abort) 10
==> Fetching https://github.com/pmem/pmdk/releases/download/1.11.0-rc2/pmdk-1.11.0-rc2.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.11.0-rc1/pmdk-1.11.0-rc1.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.11.0/pmdk-1.11.0.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.10-rc1/pmdk-1.10-rc1.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.10/pmdk-1.10.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.9.2/pmdk-1.9.2.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.9.1/pmdk-1.9.1.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.9/pmdk-1.9.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.8.1/pmdk-1.8.1.tar.gz
==> Fetching https://github.com/pmem/pmdk/releases/download/1.7.1/pmdk-1.7.1.tar.gz

    version('1.11.0-rc2', sha256='25885ea35d2bb25fc5193135045efacf97f64b26df12585e885a849972cd850d')
    version('1.11.0-rc1', sha256='0d0947ab079be50ff752c184d04f6001d2bc95f2083c59c488ff4304c45deaec')
    version('1.11.0',     sha256='2116f30b1fbb3ee11b208f21f6eb81e594649608d85f6741d597a7fbea36143b')
    version('1.10-rc1',   sha256='8dd6fdad1a870f7f861e760c40aa3cc4fb248b9eec5f98a869c05cbd96971b5f')
    version('1.10',       sha256='08dafcf94db5ac13fac9139c92225d9aa5f3724ea74beee4e6ca19a01a2eb20c')
    version('1.9.2',      sha256='38c0dc5cec1145b1a42d7c3de8fa726f246346c29256c6658ccb264a00db54f3')
    version('1.9.1',      sha256='3f31b75b07ec484028b8c00918b2dcb410fed5e3683e471f04bdf1e957f39b75')
    version('1.9',        sha256='956186faa3feb0156f58da5578143cce22501b9b4a00133a490f997594cb466f')
    version('1.8.1',      sha256='0ae98ace247e2417718e64e3ea2cf7959cf7dce0e686f95ebfe3853a4c22c00e')
    version('1.7.1',      sha256='cc48cc623fd36f9fb7898dde7406802f4e1a4ad7c84c091979ce20cd5a0e14b0')

$ spack checksum pmdk 1.11.0
==> Found 1 version of pmdk:

  1.11.0  https://github.com/pmem/pmdk/archive/1.11.0.tar.gz

==> Fetching https://github.com/pmem/pmdk/archive/1.11.0.tar.gz

    version('1.11.0', sha256='bfbc82e6bfd788c8bcb380da76172b83732d12775a719c9c423eb2fadc78bb3a')

As you can see, requesting 10 checksums makes spack fetch from a certain link (https://github.com/pmem/pmdk/releases/download/1.11.0/pmdk-1.11.0.tar.gz) and yields a certain sha256 value, while requesting a single version's checksum makes spack use another link (https://github.com/pmem/pmdk/archive/1.11.0.tar.gz) and yield a different checksum.

From trying to install the package later on, the checksum fetched using a single version appears to be the correct one.

I suspect that the problem is this: when checksuming a version specified by the command line, spack uses url_for_version and computes an URL based on the url found in the package definition. When we don't specify a version however, spack uses the git repository of the package to request a list of versions, leading to a different checksum.

I don't know why git keeps two archives of each version with a different checksum, though.

[alalazo]

I don't know why git keeps two archives of each version with a different checksum, though.

One are artifacts that the maintainer of the repo uploaded and attached to a version release, the other is an automatically generated tarball or the repository at a given tag.