From: Sergei Trofimovich <slyfox@gentoo.org>
To: "Michał Górny" <mgorny@gentoo.org>
Cc: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Need GitHub snapshot hash verification failure samples
Date: Thu, 6 Jul 2017 21:15:37 +0100 [thread overview]
Message-ID: <20170706211537.383cdb41@sf> (raw)
In-Reply-To: <1499284092.1134.1.camel@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 6451 bytes --]
On Wed, 05 Jul 2017 21:48:12 +0200
Michał Górny <mgorny@gentoo.org> wrote:
> Hi, everyone.
>
> I've seen multiple bugs related to hash verification failures for GitHub
> snapshots lately. However, none of the maintainers have been so far able
> to provide me with a sample of the old and new snapshot for comparison,
> so we still have no clue what's happening exactly.
>
> if you see your package failing or get a report for it, then *please*
> save the original tarball before replacing it with the new one and send
> me both for comparison. Thank you.
Sounds easy to verify.
1. grab all the github tarballs (should be a better way to do it with proper USE expansiion):
$ egrep -R 'SRC_URI.*github.com' metadata/ | grep -o '[^/ ]*$' | sort -u > github_distfiles.list
2. grab all manifest files that look like defining these files and remove them locally:
$ git grep -l -F -f ./github_distfiles.list | grep -F /Manifest | xargs rm -v
3. Refetch distfiles from internets:
$ mkdir /tmp/fresh
$ GENTOO_MIRRORS= DISTDIR=/tmp/fresh repoman manifest
As a result each 'git diff' report is your potential candidate.
You have new file in /tmp/fresh/<file>
and old one on http://distfiles.gentoo.org/distfiles/<file>
A few samples:
--- a/app-admin/qtpass/Manifest
+++ b/app-admin/qtpass/Manifest
@@ -1,4 +1,4 @@
-DIST qtpass-1.0.5.tar.gz 636461 SHA256 0c07bd1eb9e5336c0225f891e5b9a9df103f218619cf7ec6311edf654e8db281
-DIST qtpass-1.1.0.tar.gz 671525 SHA256 60b458062f54184057e55dbd9c93958a8bf845244ffd70b9cb31bf58697f0dc6
+DIST qtpass-1.0.5.tar.gz 636457 SHA256 b9f1c1ecf4afbe716915792ff692e7114568de5bd8c47750d5c8404aa28699e7
+DIST qtpass-1.1.0.tar.gz 671537 SHA256 f2fff7922902c4c118e04164c078ca80e9a28221320b4253d3117d885e8417b6
diffoscope reports case change only in root dir name:
$ diffoscope old/qtpass-1.1.0.tar.gz new/qtpass-1.1.0.tar.gz
│ │ @@ -1,83 +1,83 @@
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 qtpass-1.1.0/
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2016-01-25 09:58:18.000000 QtPass-1.1.0/
...
I guess somebody decided to rename github repo slightly.
Both files are at:
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/qtpass-1.1.0.tar.gz
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/qtpass-1.1.0.tar.gz
--- a/app-crypt/acme/Manifest
+++ b/app-crypt/acme/Manifest
@@ -1,3 +1,3 @@
DIST certbot-0.14.1.tar.gz 851705 SHA256 7992fced742649e7b7668e4db7685de12248a4ffba66810cb336e9b6412e3567
DIST certbot-0.15.0.tar.gz 942788 SHA256 87d306b1c013b472b8f548b38ccc476c125816435bb3b99e932fed09ac777296
-DIST letsencrypt-0.1.0.tar.gz 524821 SHA256 1c1ac7b41e5e0fc0e41a7ef159ac9147a4aafff54453d57b519eb05bf52ade14
+DIST letsencrypt-0.1.0.tar.gz 524854 SHA256 3ba1add217fc1665ad1d3c4812c0de60590f406cb83d6514332898ab60b26f62
$ diffoscope old/letsencrypt-0.1.0.tar.gz new/letsencrypt-0.1.0.tar.gz
│ │ @@ -1,579 +1,579 @@
│ │ -drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 letsencrypt-0.1.0/
│ │ +drwxrwxr-x 0 root (0) root (0) 0 2015-12-02 23:55:43.000000 certbot-0.1.0/
Same thing.
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/letsencrypt-0.1.0.tar.gz
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/letsencrypt-0.1.0.tar.gz
Zip file!
--- a/app-crypt/etcd-ca/Manifest
+++ b/app-crypt/etcd-ca/Manifest
@@ -1,2 +1,2 @@
-DIST etcd-ca-0_p20140903.zip 1178338 SHA256 5da9f7afad6dd373d96c5d36dd30e9f43cfc8fc2359bbf2d0c6a864fff139f81
+DIST etcd-ca-0_p20140903.zip 1178338 SHA256 7ef6b7f34324bd4b48b369990a7eb70e30809240f3c3d97b7d56d021af3f43f3
$ diffoscope old/etcd-ca-0_p20140903.zip new/etcd-ca-0_p20140903.zip
│ drwx--- 0.0 fat 0 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/
│ --rw---- 0.0 fat 24 bx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig
│ --rw---- 0.0 fat 3924 bx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md
│ +-rw---- 0.0 fat 24 tx stor 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/.gitconfig
│ +-rw---- 0.0 fat 3924 tx defN 14-Sep-03 21:30 etcd-ca-812f3626796be16d9db052720ce9c54f5a40bb26/CONTRIBUTING.md
Here contents didn't change but zip compressor decided to pick different file type (bx/tx is binary/text).
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/etcd-ca-0_p20140903.zip
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/etcd-ca-0_p20140903.zip
--- a/app-emacs/lua-mode/Manifest
+++ b/app-emacs/lua-mode/Manifest
@@ -1 +1 @@
-DIST lua-mode-20130419.tar.gz 26236 SHA256 75c1696421983fbb58946ea649d2917f0deefc8b4f1dbc16b819e0cd603e396a
+DIST lua-mode-20130419.tar.gz 26242 SHA256 7a5e1a21e53aeab6e7cad8c616f6b026fd32f414bc6a32371e04d4e7424800c7
This one is different. Tag expansion changed (on GitHub's side?):
$ diffoscope old/lua-mode-20130419.tar.gz new/lua-mode-20130419.tar.gz | lv
│ ├── lua-mode-rel-20130419/lua-mode.el
│ │ @@ -31,15 +31,15 @@
│ │ ;; Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
│ │ ;; MA 02110-1301, USA.
│ │
│ │ ;; Keywords: languages, processes, tools
│ │
│ │ ;; This field is expanded to commit SHA, date & associated heads/tags during
│ │ ;; archive creation.
│ │ -;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (rel-20130419))
│ │ +;; Revision: 040bc8f (Fri, 19 Apr 2013 11:27:32 +0400 (tag: rel-20130419))
│ │ ;;
│ │
│ │ ;;; Commentary:
│ │
│ │ ;; Thanks to d87 <github.com/d87> for an idea of highlighting lua
│ │ ;; builtins/numbers
│ │
│ ╵
http://dev.gentoo.org/~slyfox/unstable_tarballs/old/lua-mode-20130419.tar.gz
http://dev.gentoo.org/~slyfox/unstable_tarballs/new/lua-mode-20130419.tar.gz
--- a/app-emulation/docker/Manifest
+++ b/app-emulation/docker/Manifest
@@ -1,3 +1,3 @@
-DIST docker-17.03.1.tar.gz 7773296 SHA256 a8f1eefadf3966885ad0579facfc2017cca7dd3a0b20d086dfd798168716cb83
+DIST docker-17.03.1.tar.gz 7773988 SHA256 411e32ee388ad6d99479b97a3937c851bd84dacf4267be9d5501665e468e148e
$ diffoscope old/docker-17.03.1.tar.gz new/docker-17.03.1.tar.gz
--
Sergei
[-- Attachment #2: Цифровая подпись OpenPGP --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
prev parent reply other threads:[~2017-07-06 20:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-05 19:48 [gentoo-dev] Need GitHub snapshot hash verification failure samples Michał Górny
2017-07-05 22:30 ` Vadim A. Misbakh-Soloviov
2017-07-08 22:09 ` William L. Thomson Jr.
2017-07-06 20:15 ` Sergei Trofimovich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170706211537.383cdb41@sf \
--to=slyfox@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
--cc=mgorny@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox