It doesn't rely on SSH access now, only on OpenShift and Mirrorbits.

Infrastructure#966

As per drc review on IRC.

Tim Spriggs authored Jan 15, 2023 and Jehan committed Jan 23, 2023

resolves issue: #282

GNOME Gitlab runners are currently set to time out after 1:30:00. Unfortunately
when they do, it's not considered a failed job and artifacts are not uploaded
for investigation, which is a problem here as we still have too many issues with
the mirror check script (failed checks and time outs).

See: https://gitlab.com/gitlab-org/gitlab/-/issues/19818
#285

- These "Connection reset by peer" keep happening, and this time, I had one case
  where the final exception was not requests.exceptions.ChunkedEncodingError but
  urllib3.exceptions.ProtocolError. So let's also catch this one. I'm also
  adding ConnectionResetError though it doesn't like this is  ever the last
  exception so far.
- Remove a trailing closing parenthese added mistakenly with the orange escape
  code.
- Double the timeout to hopefully not have any more dropped download check.

Gitlab CI can show colored output, so let's add some to more easily find errors
when looking at the CI (as well as on local tests, of course).

Instead of computing checksum from a file stream during download, first download
the file on the file system, then compute its checksum and finally delete it
only if check is OK. The failed files are left as CI artifacts.

This will allow us to manually verify failed files, otherwise the check has no
meaning. We need to make sure if a failed check is due to download corruption
(typically I saw that some files in "checksum KO" result were apparently
bit-to-bit equal (for what was present), yet unfinished content; somehow the
download had failed even though we had no connection errors) and not malicious
changes. Basically if we happen to have a rogue mirror, we absolutely need to
make sure of it by having an actual file to compare and test.

There was a bunch of failed downloads which were actually "Connection reset by
peer" but my script was reporting them as None. This should fix it. Note that it
doesn't look like requests.exceptions.ChunkedEncodingError is really the
sensible exception which should have been returned. Maybe I should verify if it
should be reported to the requests module maintainers.
Also the .strerror property contains None, so I use the first args which
contains a relevant string instead.

- gimputils.version.find_latest() now also returns the release date specific for
  a tarball or last package revision release.
- In gimp-check-mirrors.py: display the release date of checked files (when they
  are taken from the json file with find_latest()). This allows to get a better
  idea of whether missing files are within acceptable delay for a mirror giving
  404 response. E.g. if a mirror still miss some files weeks after release, it
  might be a problem.
- No need to compute a checksum and display "checksum KO" for HTTP response
  other than 200 (success). It doesn't make sense to say the checksum was in
  error when we could not get the file at all (then our script still count it as
  error, but it's not a corrupted file error).

Fixing:

> Traceback (most recent call last):
>   File "/builds/Infrastructure/gimp-web/tools/downloads/gimp-check-mirrors.py", line 161, in <module>
>     if origin_executor is not None:
> NameError: name 'origin_executor' is not defined

- gimputils.version.find_latest() now gets data from the gimp_version.json file.
  We can't fully trust the 0.0_LATEST-IS* files anymore because they are on the
  download server and now all requests to it are mirrored (unless it's too soon
  and no mirrors are up-to-date). Mirrorbits proceeds with some health checks,
  but it's not enough to call them security checks as it goes through a separate
  rsync or FTP channels. The mirrors still have the ability to "lie" with
  targetted attacks. This is why our gimp-check-mirrors.py script is still
  useful.
  The json file on the other hand is fully controlled.
- Also the second change in gimputils.version.find_latest() is that we can get
  the original checksums from the json file as well, instead of computing these
  ourselves. It's faster and safer. Since it changed the signature of the
  function, I also fixed its usage in download-plot.py.
- gimp-check-mirrors.py uses the new version of gimputils.version.find_latest()
  as well. I also fixed the local path after changes in the mirror listing. The
  script was totally broken these days because of this.

I used these for the recent artfiles mirror debugging issues!

It's very weird as I had one answer about our mirror changes, early September,
then nothing since, despite sending a few more reminder emails. We can't just
ask forever, so let's remove them from the list for now.

If ever they get back to us in the future, we can review and fix the settings to
get them back in the mirror pool.

When double-clicking to select the --no-download-oc option, it was also getting
the final dot, which I have to remove after pasting. Just make so we don't end
with a final dot. It's not a huge issue, but that's the kind of tiny annoyances
which add up to really annoy you in the end if you don't take care of them
(especially if I often use these scripts, which have been the case these past
months as we were setting up mirrorbits).

See: Infrastructure#951

Also added the contact field for artfiles.org (looks like I forgot to amend it
in the previous commit).

Finally update the downloads.http.txt generated file which was a bit outdated.

Ever since the switch to mirrorbits, we had lost artfiles.org as a mirror,
mostly because I never managed to get in touch with anyone on the email address
which is in the rsyncd secrets file, neither on the info@ address I found for
the artfiles.de hosting company.

I finally got in touch with someone through the live chat on their website,
which is therefore what I wrote down as official contact. They set up a FTP
access for us, with credentials, and IP-restricted (in case GNOME change
mirrorbits origin IPs, it needs to be remembered).

It is now working in mirrorbits except I realized their mirror is outdated,
which is the last point I'm handling with them by email right now (possibly they
haven't changed from download.gimp.org to master.gnome.org?).

They fully moved to Matrix, with bridges on Libera.chat.
See: https://discourse.gnome.org/t/gnome-moves-away-from-gimpnet-on-nov-25-15-00-utc/12046

Fortunately it looks like our own Matrix bridges (still to GIMPNet) survived so
we keep mentions of these here.

This was proposed by schumaml that links to homepage of the sponsoring
organization may not be enough in case some people may want to double-check they
got GIMP from an organization sponsoring GIMP officially.

So I'm adding small "arrow links" taking us to the actual mirror URL for each
mirror.

It fixes gimp#8281 with updated babl and GEGL. Also this is the first stable
version of GIMP with an Apple Silicon dedicated package.

Also temp header change for the 27th birthday.

It was mostly delayed by:
- issues with the new DMG macOS (build-id had to be different);
- discovered issues of problematic GLib 2.74.0 in MSYS2, hence our Windows
  installer: https://github.com/msys2/MINGW-packages/issues/14088
- major GNOME infrastructure issues yesterday.

Now it seems like we can finally publish the announcement.