1 |
On Wed, 05 Jul 2017 21:48:12 +0200 |
2 |
Michał Górny <mgorny@g.o> wrote: |
3 |
|
4 |
> Hi, everyone. |
5 |
> |
6 |
> I've seen multiple bugs related to hash verification failures for GitHub |
7 |
> snapshots lately. However, none of the maintainers have been so far able |
8 |
> to provide me with a sample of the old and new snapshot for comparison, |
9 |
> so we still have no clue what's happening exactly. |
10 |
> |
11 |
> if you see your package failing or get a report for it, then *please* |
12 |
> save the original tarball before replacing it with the new one and send |
13 |
> me both for comparison. Thank you. |
14 |
|
15 |
Sounds easy to verify. |
16 |
1. grab all the github tarballs (should be a better way to do it with proper USE expansiion): |
17 |
$ egrep -R 'SRC_URI.*github.com' metadata/ | grep -o '[^/ ]*$' | sort -u > github_distfiles.list |
18 |
2. grab all manifest files that look like defining these files and remove them locally: |
19 |
$ git grep -l -F -f ./github_distfiles.list | grep -F /Manifest | xargs rm -v |
20 |
3. Refetch distfiles from internets: |
21 |
$ mkdir /tmp/fresh |
22 |
$ GENTOO_MIRRORS= DISTDIR=/tmp/fresh repoman manifest |
23 |
|
24 |
As a result each 'git diff' report is your potential candidate. |
25 |
You have new file in /tmp/fresh/<file> |
26 |
and old one on http://distfiles.gentoo.org/distfiles/<file> |
27 |
|
28 |
A few samples: |
29 |
--- a/app-admin/qtpass/Manifest |
30 |
+++ b/app-admin/qtpass/Manifest |
31 |
@@ -1,4 +1,4 @@ |
32 |
-DIST qtpass-1.0.5.tar.gz 636461 SHA256 0c07bd1eb9e5336c0225f891e5b9a9df103f218619cf7ec6311edf654e8db281 |
33 |
-DIST qtpass-1.1.0.tar.gz 671525 SHA256 60b458062f54184057e55dbd9c93958a8bf845244ffd70b9cb31bf58697f0dc6 |
34 |
+DIST qtpass-1.0.5.tar.gz 636457 SHA256 b9f1c1ecf4afbe716915792ff692e7114568de5bd8c47750d5c8404aa28699e7 |
35 |
+DIST qtpass-1.1.0.tar.gz 671537 SHA256 f2fff7922902c4c118e04164c078ca80e9a28221320b4253d3117d885e8417b6 |
36 |
|
37 |
diffoscope reports case change only in root dir name: |
38 |
|
39 |
$ diffoscope old/qtpass-1.1.0.tar.gz new/qtpass-1.1.0.tar.gz |
40 |
│ │ @@ -1,83 +1,83 @@ |
41 |
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 qtpass-1.1.0/ |
42 |
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 QtPass-1.1.0/ |
43 |
... |
44 |
|
45 |
I guess somebody decided to rename github repo slightly. |
46 |
|
47 |
Both files are at: |
48 |
|
49 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/qtpass-1.1.0.tar.gz |
50 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/qtpass-1.1.0.tar.gz |
51 |
|
52 |
--- a/app-crypt/acme/Manifest |
53 |
+++ b/app-crypt/acme/Manifest |
54 |
@@ -1,3 +1,3 @@ |
55 |
DIST certbot-0.14.1.tar.gz 851705 SHA256 7992fced742649e7b7668e4db7685de12248a4ffba66810cb336e9b6412e3567 |
56 |
DIST certbot-0.15.0.tar.gz 942788 SHA256 87d306b1c013b472b8f548b38ccc476c125816435bb3b99e932fed09ac777296 |
57 |
-DIST letsencrypt-0.1.0.tar.gz 524821 SHA256 1c1ac7b41e5e0fc0e41a7ef159ac9147a4aafff54453d57b519eb05bf52ade14 |
58 |
+DIST letsencrypt-0.1.0.tar.gz 524854 SHA256 3ba1add217fc1665ad1d3c4812c0de60590f406cb83d6514332898ab60b26f62 |
59 |
|
60 |
$ diffoscope old/letsencrypt-0.1.0.tar.gz new/letsencrypt-0.1.0.tar.gz |
61 |
│ │ @@ -1,579 +1,579 @@ |
62 |
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 letsencrypt-0.1.0/ |
63 |
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 certbot-0.1.0/ |
64 |
|
65 |
Same thing. |
66 |
|
67 |
|
68 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/letsencrypt-0.1.0.tar.gz |
69 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/letsencrypt-0.1.0.tar.gz |
70 |
|
71 |
Zip file! |
72 |
|
73 |
--- a/app-crypt/etcd-ca/Manifest |
74 |
+++ b/app-crypt/etcd-ca/Manifest |
75 |
@@ -1,2 +1,2 @@ |
76 |
-DIST etcd-ca-0_p20140903.zip 1178338 SHA256 5da9f7afad6dd373d96c5d36dd30e9f43cfc8fc2359bbf2d0c6a864fff139f81 |
77 |
+DIST etcd-ca-0_p20140903.zip 1178338 SHA256 7ef6b7f34324bd4b48b369990a7eb70e30809240f3c3d97b7d56d021af3f43f3 |
78 |
|
79 |
$ diffoscope old/etcd-ca-0_p20140903.zip new/etcd-ca-0_p20140903.zip |
80 |
│ drwx--- 0.0 fat 0 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/ |
81 |
│ --rw---- 0.0 fat 24 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig |
82 |
│ --rw---- 0.0 fat 3924 bx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md |
83 |
│ +-rw---- 0.0 fat 24 tx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig |
84 |
│ +-rw---- 0.0 fat 3924 tx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md |
85 |
|
86 |
Here contents didn't change but zip compressor decided to pick different file type (bx/tx is binary/text). |
87 |
|
88 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/etcd-ca-0_p20140903.zip |
89 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/etcd-ca-0_p20140903.zip |
90 |
|
91 |
--- a/app-emacs/lua-mode/Manifest |
92 |
+++ b/app-emacs/lua-mode/Manifest |
93 |
@@ -1 +1 @@ |
94 |
-DIST lua-mode-20130419.tar.gz 26236 SHA256 75c1696421983fbb58946ea649d2917f0deefc8b4f1dbc16b819e0cd603e396a |
95 |
+DIST lua-mode-20130419.tar.gz 26242 SHA256 7a5e1a21e53aeab6e7cad8c616f6b026fd32f414bc6a32371e04d4e7424800c7 |
96 |
|
97 |
This one is different. Tag expansion changed (on GitHub's side?): |
98 |
|
99 |
$ diffoscope old/lua-mode-20130419.tar.gz new/lua-mode-20130419.tar.gz | lv |
100 |
|
101 |
│ ├── lua-mode-rel-20130419/lua-mode.el |
102 |
│ │ @@ -31,15 +31,15 @@ |
103 |
│ │ ;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, |
104 |
│ │ ;; MA 02110-1301, USA. |
105 |
│ │ |
106 |
│ │ ;; Keywords: languages, processes, tools |
107 |
│ │ |
108 |
│ │ ;; This field is expanded to commit SHA, date & associated heads/tags during |
109 |
│ │ ;; archive creation. |
110 |
│ │ -;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (rel-20130419)) |
111 |
│ │ +;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (tag: rel-20130419)) |
112 |
│ │ ;; |
113 |
│ │ |
114 |
│ │ ;;; Commentary: |
115 |
│ │ |
116 |
│ │ ;; Thanks to d87 <github.com/d87> for an idea of highlighting lua |
117 |
│ │ ;; builtins/numbers |
118 |
│ │ |
119 |
│ ╵ |
120 |
|
121 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/lua-mode-20130419.tar.gz |
122 |
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/lua-mode-20130419.tar.gz |
123 |
|
124 |
--- a/app-emulation/docker/Manifest |
125 |
+++ b/app-emulation/docker/Manifest |
126 |
@@ -1,3 +1,3 @@ |
127 |
-DIST docker-17.03.1.tar.gz 7773296 SHA256 a8f1eefadf3966885ad0579facfc2017cca7dd3a0b20d086dfd798168716cb83 |
128 |
+DIST docker-17.03.1.tar.gz 7773988 SHA256 411e32ee388ad6d99479b97a3937c851bd84dacf4267be9d5501665e468e148e |
129 |
|
130 |
$ diffoscope old/docker-17.03.1.tar.gz new/docker-17.03.1.tar.gz |
131 |
|
132 |
|
133 |
-- |
134 |
|
135 |
Sergei |