[gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[Mark Haney]

Is anyone else seeing this when emerging Firefox 1.5.0.5?

 >>> Emerging (1 of 1) www-client/mozilla-firefox-1.5.0.5 to /
 >>> checking ebuild checksums
!!! Digest verification failed:
!!! /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
!!! Reason: Filesize does not match recorded size
!!! Got: 9195
!!! Expected: 9196



-- 
Fere libenter homines id quod volunt credunt.

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[Peter Humphrey]

On Monday 31 July 2006 16:01, Mark Haney wrote:
> Is anyone else seeing this when emerging Firefox 1.5.0.5?
>
>  >>> Emerging (1 of 1) www-client/mozilla-firefox-1.5.0.5 to /
>  >>> checking ebuild checksums
>
> !!! Digest verification failed:
> !!!
> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
> !!! Reason: Filesize does not match recorded size
> !!! Got: 9195
> !!! Expected: 9196

Nope. Works fine here.

-- 
Rgds
Peter
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[Mark Haney]

Peter Humphrey wrote:
> On Monday 31 July 2006 16:01, Mark Haney wrote:
>> Is anyone else seeing this when emerging Firefox 1.5.0.5?
>>
>>  >>> Emerging (1 of 1) www-client/mozilla-firefox-1.5.0.5 to /
>>  >>> checking ebuild checksums
>>
>> !!! Digest verification failed:
>> !!!
>> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
>> !!! Reason: Filesize does not match recorded size
>> !!! Got: 9195
>> !!! Expected: 9196
> 
> Nope. Works fine here.
> 

Okay, next question is, how do I clean portage up (sanely) to allow a 
re-download of the ebuild?




-- 
Fere libenter homines id quod volunt credunt.

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[Atoms]

Mark Haney wrote:
> Peter Humphrey wrote:
>> On Monday 31 July 2006 16:01, Mark Haney wrote:
>>> Is anyone else seeing this when emerging Firefox 1.5.0.5?
>>>
>>> >>> Emerging (1 of 1) www-client/mozilla-firefox-1.5.0.5 to /
>>> >>> checking ebuild checksums
>>>
>>> !!! Digest verification failed:
>>> !!!
>>> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
>>> !!! Reason: Filesize does not match recorded size
>>> !!! Got: 9195
>>> !!! Expected: 9196
>>
>> Nope. Works fine here.
>>
>
> Okay, next question is, how do I clean portage up (sanely) to allow a 
> re-download of the ebuild?
>
>
>
>
just do `ebuild 
/usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild 
digest` and then emerge

-- 
Ar cieņu Aivars Šterns
mail: atoms@netparks.lv
phone: 26150528
web: http://atoms.netparks.lv

-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] [OT?] Firefox-1.5.0.5 ebuild file size

[Mike Williams]

On Monday 31 July 2006 16:47, Atoms wrote:
> >> Nope. Works fine here.
> >
> > Okay, next question is, how do I clean portage up (sanely) to allow a
> > re-download of the ebuild?
>
> just do `ebuild
> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
> digest` and then emerge

Err, no!
The size didn't match for a reason.

Delete the ebuild, and sync again. From a different mirror if possible.

-- 
Mike Williams
-- 
gentoo-amd64@gentoo.org mailing list

[gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size

[Duncan]

Mike Williams <mike@gaima.co.uk> posted
200607311656.36538.mike@gaima.co.uk, excerpted below, on  Mon, 31 Jul 2006
16:56:35 +0100:

> On Monday 31 July 2006 16:47, Atoms wrote:
>> >> Nope. Works fine here.
>> >
>> > Okay, next question is, how do I clean portage up (sanely) to allow a
>> > re-download of the ebuild?
>>
>> just do `ebuild
>> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
>> digest` and then emerge
> 
> Err, no!
> The size didn't match for a reason.
> 
> Delete the ebuild, and sync again. From a different mirror if possible.

My reaction too -- don't just blindly digest and emerge unless you are
quite sure it's safe to do so (a dev explains it or you check viewcvs and
verify that the one there is the same, plus verify that the ebuild isn't
doing anything weird like retrieving "special" source
from warez.and.crakz.r.us or the like).

THE WARNING ABOVE, INCORRECT SIZE OR OTHER FAILURE TO VERIFY, COULD
INDICATE A SECURITY ISSUE.  SIMPLY REDIGESTING THE FAILED PACKAGE BYPASSES
THE CHECKS AND COULD LEAVE YOUR GENTOO MACHINE CRACKED WIDE OPEN AND NO
LONGER UNDER YOUR CONTROL!!

I apologize for shouting, but your computer's security may depend on it. 
Don't do something stupid!

In actuality, it's much more likely simply broken or even an entirely
harmless difference like a missing newline or the like.  However, you 
can't KNOW that, and with various server in the FLOSS community having
already been found compromised, we know the crackers are trying, and it's
not out of the realm of possibility that a Gentoo server could be
compromised at some point.  Thus, don't do something you might regret. 
Either hand verify the ebuild if you know how to, or wait a few hours to a
day or two and the problem will probably have been resolved (or better,
file a bug and report it, asking if it's legit).

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size

[Mark Haney]

Duncan wrote:
> Mike Williams <mike@gaima.co.uk> posted
> 200607311656.36538.mike@gaima.co.uk, excerpted below, on  Mon, 31 Jul 2006
> 16:56:35 +0100:
> 
>> On Monday 31 July 2006 16:47, Atoms wrote:
>>>>> Nope. Works fine here.
>>>> Okay, next question is, how do I clean portage up (sanely) to allow a
>>>> re-download of the ebuild?
>>> just do `ebuild
>>> /usr/portage/www-client/mozilla-firefox/mozilla-firefox-1.5.0.5.ebuild
>>> digest` and then emerge
>> Err, no!
>> The size didn't match for a reason.
>>
>> Delete the ebuild, and sync again. From a different mirror if possible.
> 
> My reaction too -- don't just blindly digest and emerge unless you are
> quite sure it's safe to do so (a dev explains it or you check viewcvs and
> verify that the one there is the same, plus verify that the ebuild isn't
> doing anything weird like retrieving "special" source
> from warez.and.crakz.r.us or the like).
> 
> THE WARNING ABOVE, INCORRECT SIZE OR OTHER FAILURE TO VERIFY, COULD
> INDICATE A SECURITY ISSUE.  SIMPLY REDIGESTING THE FAILED PACKAGE BYPASSES
> THE CHECKS AND COULD LEAVE YOUR GENTOO MACHINE CRACKED WIDE OPEN AND NO
> LONGER UNDER YOUR CONTROL!!
> 
> I apologize for shouting, but your computer's security may depend on it. 
> Don't do something stupid!
> 
> In actuality, it's much more likely simply broken or even an entirely
> harmless difference like a missing newline or the like.  However, you 
> can't KNOW that, and with various server in the FLOSS community having
> already been found compromised, we know the crackers are trying, and it's
> not out of the realm of possibility that a Gentoo server could be
> compromised at some point.  Thus, don't do something you might regret. 
> Either hand verify the ebuild if you know how to, or wait a few hours to a
> day or two and the problem will probably have been resolved (or better,
> file a bug and report it, asking if it's legit).
> 

Since I'm not as up to speed as I really want to be on manipulating 
ebuilds and portage, I simply deleted the ebuild and re-sync'd, this one 
came down fine and is compiling now.  I thought about a bug report, but 
I felt that to be too extreme a measure if I was the only person seeing 
the problem.  However, the information on the possible security issues 
is quite appreciated, that method of infiltration never occurred to me, 
so I will be even more careful from now on with this.




-- 
Fere libenter homines id quod volunt credunt.

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
-- 
gentoo-amd64@gentoo.org mailing list

Re: [gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size

[Richard Freeman]

[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Haney wrote:
> 
> Since I'm not as up to speed as I really want to be on manipulating
> ebuilds and portage, I simply deleted the ebuild and re-sync'd, this one
> came down fine and is compiling now.  I thought about a bug report, but
> I felt that to be too extreme a measure if I was the only person seeing
> the problem.  

If an emerge sync doesn't fix the problem filing a bug is a perfectly
appropriate solution - any dev can fix this in 30 seconds (assuming it
is obvious the ebuild wasn't tampered with).  Most likely a dev forgot
to run repoman when doing a commit - otherwise the digest error would
have been caught (in theory they are supposed to do this all the time,
but it can be slow).  Ditto for problems when a package is marked stable
and one of its dependencies is not.

90% of the time it was noticed 5 minutes later and fixed, and you might
have done your last emerge sync in the interim.  As a result I usually
resync before filing a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEz0X9G4/rWKZmVWkRAsTgAJ0UfDfcyiStNZDuhfV47x4zw29KAACcD3Ht
Ilg3uGqR1lIeznRHBdyR+Dw=
=anj+
-----END PGP SIGNATURE-----

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 4275 bytes --]

Re: [gentoo-amd64] Re: [OT?] Firefox-1.5.0.5 ebuild file size

[Mark Haney]

Richard Freeman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mark Haney wrote:
>> Since I'm not as up to speed as I really want to be on manipulating
>> ebuilds and portage, I simply deleted the ebuild and re-sync'd, this one
>> came down fine and is compiling now.  I thought about a bug report, but
>> I felt that to be too extreme a measure if I was the only person seeing
>> the problem.  
> 
> If an emerge sync doesn't fix the problem filing a bug is a perfectly
> appropriate solution - any dev can fix this in 30 seconds (assuming it
> is obvious the ebuild wasn't tampered with).  Most likely a dev forgot
> to run repoman when doing a commit - otherwise the digest error would
> have been caught (in theory they are supposed to do this all the time,
> but it can be slow).  Ditto for problems when a package is marked stable
> and one of its dependencies is not.
> 
> 90% of the time it was noticed 5 minutes later and fixed, and you might
> have done your last emerge sync in the interim.  As a result I usually
> resync before filing a bug.


All of this is great information, and something I've needed to know for 
quite a while.  I really like Gentoo, so much so, that I've migrating to 
it from Fedora on all my boxes at home (13 at last count).  Other than 
this laptop refusing to play nice with the ATI drivers, I've had nothing 
but great experiences from it.

Thanks for the help and the info.


-- 
Fere libenter homines id quod volunt credunt.

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
-- 
gentoo-amd64@gentoo.org mailing list