| 1 |
On Wed, 05 Jul 2017 21:48:12 +0200 |
| 2 |
Michał Górny <mgorny@g.o> wrote: |
| 3 |
|
| 4 |
> Hi, everyone. |
| 5 |
> |
| 6 |
> I've seen multiple bugs related to hash verification failures for GitHub |
| 7 |
> snapshots lately. However, none of the maintainers have been so far able |
| 8 |
> to provide me with a sample of the old and new snapshot for comparison, |
| 9 |
> so we still have no clue what's happening exactly. |
| 10 |
> |
| 11 |
> if you see your package failing or get a report for it, then *please* |
| 12 |
> save the original tarball before replacing it with the new one and send |
| 13 |
> me both for comparison. Thank you. |
| 14 |
|
| 15 |
Sounds easy to verify. |
| 16 |
1. grab all the github tarballs (should be a better way to do it with proper USE expansiion): |
| 17 |
$ egrep -R 'SRC_URI.*github.com' metadata/ | grep -o '[^/ ]*$' | sort -u > github_distfiles.list |
| 18 |
2. grab all manifest files that look like defining these files and remove them locally: |
| 19 |
$ git grep -l -F -f ./github_distfiles.list | grep -F /Manifest | xargs rm -v |
| 20 |
3. Refetch distfiles from internets: |
| 21 |
$ mkdir /tmp/fresh |
| 22 |
$ GENTOO_MIRRORS= DISTDIR=/tmp/fresh repoman manifest |
| 23 |
|
| 24 |
As a result each 'git diff' report is your potential candidate. |
| 25 |
You have new file in /tmp/fresh/<file> |
| 26 |
and old one on http://distfiles.gentoo.org/distfiles/<file> |
| 27 |
|
| 28 |
A few samples: |
| 29 |
--- a/app-admin/qtpass/Manifest |
| 30 |
+++ b/app-admin/qtpass/Manifest |
| 31 |
@@ -1,4 +1,4 @@ |
| 32 |
-DIST qtpass-1.0.5.tar.gz 636461 SHA256 0c07bd1eb9e5336c0225f891e5b9a9df103f218619cf7ec6311edf654e8db281 |
| 33 |
-DIST qtpass-1.1.0.tar.gz 671525 SHA256 60b458062f54184057e55dbd9c93958a8bf845244ffd70b9cb31bf58697f0dc6 |
| 34 |
+DIST qtpass-1.0.5.tar.gz 636457 SHA256 b9f1c1ecf4afbe716915792ff692e7114568de5bd8c47750d5c8404aa28699e7 |
| 35 |
+DIST qtpass-1.1.0.tar.gz 671537 SHA256 f2fff7922902c4c118e04164c078ca80e9a28221320b4253d3117d885e8417b6 |
| 36 |
|
| 37 |
diffoscope reports case change only in root dir name: |
| 38 |
|
| 39 |
$ diffoscope old/qtpass-1.1.0.tar.gz new/qtpass-1.1.0.tar.gz |
| 40 |
│ │ @@ -1,83 +1,83 @@ |
| 41 |
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 qtpass-1.1.0/ |
| 42 |
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 QtPass-1.1.0/ |
| 43 |
... |
| 44 |
|
| 45 |
I guess somebody decided to rename github repo slightly. |
| 46 |
|
| 47 |
Both files are at: |
| 48 |
|
| 49 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/qtpass-1.1.0.tar.gz |
| 50 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/qtpass-1.1.0.tar.gz |
| 51 |
|
| 52 |
--- a/app-crypt/acme/Manifest |
| 53 |
+++ b/app-crypt/acme/Manifest |
| 54 |
@@ -1,3 +1,3 @@ |
| 55 |
DIST certbot-0.14.1.tar.gz 851705 SHA256 7992fced742649e7b7668e4db7685de12248a4ffba66810cb336e9b6412e3567 |
| 56 |
DIST certbot-0.15.0.tar.gz 942788 SHA256 87d306b1c013b472b8f548b38ccc476c125816435bb3b99e932fed09ac777296 |
| 57 |
-DIST letsencrypt-0.1.0.tar.gz 524821 SHA256 1c1ac7b41e5e0fc0e41a7ef159ac9147a4aafff54453d57b519eb05bf52ade14 |
| 58 |
+DIST letsencrypt-0.1.0.tar.gz 524854 SHA256 3ba1add217fc1665ad1d3c4812c0de60590f406cb83d6514332898ab60b26f62 |
| 59 |
|
| 60 |
$ diffoscope old/letsencrypt-0.1.0.tar.gz new/letsencrypt-0.1.0.tar.gz |
| 61 |
│ │ @@ -1,579 +1,579 @@ |
| 62 |
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 letsencrypt-0.1.0/ |
| 63 |
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 certbot-0.1.0/ |
| 64 |
|
| 65 |
Same thing. |
| 66 |
|
| 67 |
|
| 68 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/letsencrypt-0.1.0.tar.gz |
| 69 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/letsencrypt-0.1.0.tar.gz |
| 70 |
|
| 71 |
Zip file! |
| 72 |
|
| 73 |
--- a/app-crypt/etcd-ca/Manifest |
| 74 |
+++ b/app-crypt/etcd-ca/Manifest |
| 75 |
@@ -1,2 +1,2 @@ |
| 76 |
-DIST etcd-ca-0_p20140903.zip 1178338 SHA256 5da9f7afad6dd373d96c5d36dd30e9f43cfc8fc2359bbf2d0c6a864fff139f81 |
| 77 |
+DIST etcd-ca-0_p20140903.zip 1178338 SHA256 7ef6b7f34324bd4b48b369990a7eb70e30809240f3c3d97b7d56d021af3f43f3 |
| 78 |
|
| 79 |
$ diffoscope old/etcd-ca-0_p20140903.zip new/etcd-ca-0_p20140903.zip |
| 80 |
│ drwx--- 0.0 fat 0 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/ |
| 81 |
│ --rw---- 0.0 fat 24 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig |
| 82 |
│ --rw---- 0.0 fat 3924 bx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md |
| 83 |
│ +-rw---- 0.0 fat 24 tx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig |
| 84 |
│ +-rw---- 0.0 fat 3924 tx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md |
| 85 |
|
| 86 |
Here contents didn't change but zip compressor decided to pick different file type (bx/tx is binary/text). |
| 87 |
|
| 88 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/etcd-ca-0_p20140903.zip |
| 89 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/etcd-ca-0_p20140903.zip |
| 90 |
|
| 91 |
--- a/app-emacs/lua-mode/Manifest |
| 92 |
+++ b/app-emacs/lua-mode/Manifest |
| 93 |
@@ -1 +1 @@ |
| 94 |
-DIST lua-mode-20130419.tar.gz 26236 SHA256 75c1696421983fbb58946ea649d2917f0deefc8b4f1dbc16b819e0cd603e396a |
| 95 |
+DIST lua-mode-20130419.tar.gz 26242 SHA256 7a5e1a21e53aeab6e7cad8c616f6b026fd32f414bc6a32371e04d4e7424800c7 |
| 96 |
|
| 97 |
This one is different. Tag expansion changed (on GitHub's side?): |
| 98 |
|
| 99 |
$ diffoscope old/lua-mode-20130419.tar.gz new/lua-mode-20130419.tar.gz | lv |
| 100 |
|
| 101 |
│ ├── lua-mode-rel-20130419/lua-mode.el |
| 102 |
│ │ @@ -31,15 +31,15 @@ |
| 103 |
│ │ ;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
| 104 |
│ │ ;; MA 02110-1301, USA. |
| 105 |
│ │ |
| 106 |
│ │ ;; Keywords: languages, processes, tools |
| 107 |
│ │ |
| 108 |
│ │ ;; This field is expanded to commit SHA, date & associated heads/tags during |
| 109 |
│ │ ;; archive creation. |
| 110 |
│ │ -;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (rel-20130419)) |
| 111 |
│ │ +;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (tag: rel-20130419)) |
| 112 |
│ │ ;; |
| 113 |
│ │ |
| 114 |
│ │ ;;; Commentary: |
| 115 |
│ │ |
| 116 |
│ │ ;; Thanks to d87 <github.com/d87> for an idea of highlighting lua |
| 117 |
│ │ ;; builtins/numbers |
| 118 |
│ │ |
| 119 |
│ ╵ |
| 120 |
|
| 121 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/lua-mode-20130419.tar.gz |
| 122 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/lua-mode-20130419.tar.gz |
| 123 |
|
| 124 |
--- a/app-emulation/docker/Manifest |
| 125 |
+++ b/app-emulation/docker/Manifest |
| 126 |
@@ -1,3 +1,3 @@ |
| 127 |
-DIST docker-17.03.1.tar.gz 7773296 SHA256 a8f1eefadf3966885ad0579facfc2017cca7dd3a0b20d086dfd798168716cb83 |
| 128 |
+DIST docker-17.03.1.tar.gz 7773988 SHA256 411e32ee388ad6d99479b97a3937c851bd84dacf4267be9d5501665e468e148e |
| 129 |
|
| 130 |
$ diffoscope old/docker-17.03.1.tar.gz new/docker-17.03.1.tar.gz |
| 131 |
|
| 132 |
|
| 133 |
-- |
| 134 |
|
| 135 |
Sergei |
Archives