[gentoo-user] getting digest verification failed when emerging bittorrent

[gentoo-user] getting digest verification failed when emerging bittorrent

[John covici]

Hi.  I am getting digest verification failed when trying to emerge
bittorrent -- it is having trouble with the Changelog file.  The exact
message is:
!!! Digest verification failed:
!!! /usr/portage/net-p2p/bittorrent/ChangeLog
!!! Reason: Filesize does not match recorded size
!!! Got: 19308
!!! Expected: 19466

Is there a new ebuild coming?

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Alan McKinnon]

On Saturday 07 March 2009 23:20:38 John covici wrote:
> Hi.  I am getting digest verification failed when trying to emerge
> bittorrent -- it is having trouble with the Changelog file.  The exact
> message is:
> !!! Digest verification failed:
> !!! /usr/portage/net-p2p/bittorrent/ChangeLog
> !!! Reason: Filesize does not match recorded size
> !!! Got: 19308
> !!! Expected: 19466
>
> Is there a new ebuild coming?

wait 24 hours, resync, try again.

Or just re-digest the package manually:

ebuild <path_to_ebuild_file> manifest

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Dale]

Alan McKinnon wrote:
> On Saturday 07 March 2009 23:20:38 John covici wrote:
>   
>> Hi.  I am getting digest verification failed when trying to emerge
>> bittorrent -- it is having trouble with the Changelog file.  The exact
>> message is:
>> !!! Digest verification failed:
>> !!! /usr/portage/net-p2p/bittorrent/ChangeLog
>> !!! Reason: Filesize does not match recorded size
>> !!! Got: 19308
>> !!! Expected: 19466
>>
>> Is there a new ebuild coming?
>>     
>
> wait 24 hours, resync, try again.
>
> Or just re-digest the package manually:
>
> ebuild <path_to_ebuild_file> manifest
>
>   

Does emerge --digest still exist?  I recall using something like that a
long time ago.  I think I used it for googleforearth which never matches. 

Dale

:-)  :-) 

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Alan McKinnon]

On Saturday 07 March 2009 23:54:22 Dale wrote:
> Alan McKinnon wrote:
> > On Saturday 07 March 2009 23:20:38 John covici wrote:
> >> Hi.  I am getting digest verification failed when trying to emerge
> >> bittorrent -- it is having trouble with the Changelog file.  The exact
> >> message is:
> >> !!! Digest verification failed:
> >> !!! /usr/portage/net-p2p/bittorrent/ChangeLog
> >> !!! Reason: Filesize does not match recorded size
> >> !!! Got: 19308
> >> !!! Expected: 19466
> >>
> >> Is there a new ebuild coming?
> >
> > wait 24 hours, resync, try again.
> >
> > Or just re-digest the package manually:
> >
> > ebuild <path_to_ebuild_file> manifest
>
> Does emerge --digest still exist?  I recall using something like that a
> long time ago.  I think I used it for googleforearth which never matches.

--digest is long since gone and totally replaced with manifests. ebuild still 
has a --digest option, but these days it is the same as --manifest

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[John covici]

on Saturday 03/07/2009 Dale(rdalek1967@gmail.com) wrote
 > Alan McKinnon wrote:
 > > On Saturday 07 March 2009 23:20:38 John covici wrote:
 > >   
 > >> Hi.  I am getting digest verification failed when trying to emerge
 > >> bittorrent -- it is having trouble with the Changelog file.  The exact
 > >> message is:
 > >> !!! Digest verification failed:
 > >> !!! /usr/portage/net-p2p/bittorrent/ChangeLog
 > >> !!! Reason: Filesize does not match recorded size
 > >> !!! Got: 19308
 > >> !!! Expected: 19466
 > >>
 > >> Is there a new ebuild coming?
 > >>     
 > >
 > > wait 24 hours, resync, try again.
 > >
 > > Or just re-digest the package manually:
 > >
 > > ebuild <path_to_ebuild_file> manifest
 > >
 > >   
 > 
 > Does emerge --digest still exist?  I recall using something like that a
 > long time ago.  I think I used it for googleforearth which never matches. 

OK, thanks I was hoping something like that would work.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 964 bytes --]

On Sat, 07 Mar 2009 15:54:22 -0600, Dale wrote:

> > wait 24 hours, resync, try again.
> >
> > Or just re-digest the package manually:
> >
> > ebuild <path_to_ebuild_file> manifest

Bear in mind this overrides the security that digests provide, although
it is harmless when it is only a Chnagleog file.

> Does emerge --digest still exist?  I recall using something like that a
> long time ago.  I think I used it for googleforearth which never
> matches.

That's not a good idea as the mismatch could be caused by a hacked
source or binary file. The problem with Google Earth was that they used
unversioned tarballs. Whenever you gt a digest error on a distfile, the
first step is to delete the distfile and let emerge download it again. If
that doesn't help, resync and then check Bugzilla. Don't redigest a
distfile unless you can e 100% certain of its validity.


-- 
Neil Bothwick

Klingons do NOT sweat! They perspire with honour!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Mike Kazantsev]

[-- Attachment #1: Type: text/plain, Size: 465 bytes --]

On Sun, 8 Mar 2009 09:25:19 +0000
Neil Bothwick <neil@digimed.co.uk> wrote:

> Don't redigest a distfile unless you can e 100% certain of its validity.

On the other hand, the rule can go like this:
Always redigest when downloading from official source, unless you can
be 100% sure that you've rsync'ed with the valid (tm) mirror, not some
third-party-in-the-middle impersonation or malicious developer
contribution.

-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[AllenJB]

Neil Bothwick wrote:
> On Sat, 07 Mar 2009 15:54:22 -0600, Dale wrote:
> 
>>> wait 24 hours, resync, try again.
>>>
>>> Or just re-digest the package manually:
>>>
>>> ebuild <path_to_ebuild_file> manifest
> 
> Bear in mind this overrides the security that digests provide, although
> it is harmless when it is only a Chnagleog file.
> 
>> Does emerge --digest still exist?  I recall using something like that a
>> long time ago.  I think I used it for googleforearth which never
>> matches.
> 
> That's not a good idea as the mismatch could be caused by a hacked
> source or binary file. The problem with Google Earth was that they used
> unversioned tarballs. Whenever you gt a digest error on a distfile, the
> first step is to delete the distfile and let emerge download it again. If
> that doesn't help, resync and then check Bugzilla. Don't redigest a
> distfile unless you can e 100% certain of its validity.
> 
> 

It's not just security. It's a basic measure to ensure the source files 
haven't changed (some projects are known to change the source files 
without changing the tarball name) and that the installation 
instructions in the ebuild are still valid.

Note that it's possible for the source files to change and the 
instructions in the ebuild appear to work, but to not correctly install 
the package.

AllenJB

Re: [gentoo-user] getting digest verification failed when emerging bittorrent

[Alan McKinnon]

On Sunday 08 March 2009 07:06:22 John covici wrote:
> on Saturday 03/07/2009 Dale(rdalek1967@gmail.com) wrote
>
>  > Alan McKinnon wrote:
>  > > On Saturday 07 March 2009 23:20:38 John covici wrote:
>  > >> Hi.  I am getting digest verification failed when trying to emerge
>  > >> bittorrent -- it is having trouble with the Changelog file.  The
>  > >> exact message is:
>  > >> !!! Digest verification failed:
>  > >> !!! /usr/portage/net-p2p/bittorrent/ChangeLog
>  > >> !!! Reason: Filesize does not match recorded size
>  > >> !!! Got: 19308
>  > >> !!! Expected: 19466
>  > >>
>  > >> Is there a new ebuild coming?
>  > >
>  > > wait 24 hours, resync, try again.
>  > >
>  > > Or just re-digest the package manually:
>  > >
>  > > ebuild <path_to_ebuild_file> manifest
>  >
>  > Does emerge --digest still exist?  I recall using something like that a
>  > long time ago.  I think I used it for googleforearth which never
>  > matches.
>
> OK, thanks I was hoping something like that would work.

As others have already said (but the importance of it got lost in the ensuing 
retorts), you have to be careful not to redigest stuff arbitrarily. This case 
was a mere Changelog which doesn't affect the built binaries and hence is 
safe.

Most digest failures are for one of two reasons:

1. Proprietary binaries that don't think it necessary to tell their customers 
which version they are getting. They must think customer's are psychic,
2. The developer goofed and forgot to upload one or more changed files.

The dangerous case that digests are designed to help you with is malicious 
changes where you get a trojan. This danger is real and you should take it 
seriously. The fact that I've never actually *seen* it happen doesn't mean 
anything and isn't even relevant.


-- 
alan dot mckinnon at gmail dot com