GNU bug report logs -
#28326
exiv2 0.26 hash mismatch
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28326 in the body.
You can then email your comments to 28326 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Sat, 02 Sep 2017 05:52:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 02 Sep 2017 05:52:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.
On current master, the following happens:
$ guix build exiv2
Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
[...]
sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:
1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
Let's validate those weak MD5 hashes:
$ md5sum exiv2-0.26-trunk.tar.gz # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
$ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
OK, at least the advertized signature validates.
2. When extracting those two archives and diffing them, we see the changes:
$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk
A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].
Note: they are moving to Github and in the furure the releases will be
offered directly through Github.
Patch will follow.
[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Sat, 02 Sep 2017 05:58:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 28326 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Here's the updated hash.
[0001-gnu-Update-the-hash-of-the-exiv2-package.patch (text/x-patch, attachment)]
Reply sent
to
Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility.
(Sat, 02 Sep 2017 10:36:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer.
(Sat, 02 Sep 2017 10:36:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 28326-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
>
> On current master, the following happens:
>
> $ guix build exiv2
>
> Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
> From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
>
> [...]
>
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
>
> 1. The project maintainers updated the MD5 and filesize of the file
> "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
>
> Let's validate those weak MD5 hashes:
>
> $ md5sum exiv2-0.26-trunk.tar.gz # old one
> f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
>
> $ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
> 5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
>
> OK, at least the advertized signature validates.
>
> 2. When extracting those two archives and diffing them, we see the changes:
>
> $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
> Only in exiv2-trunk-old/: ._AUTHORS
> Only in exiv2-trunk-old/: ._bootstrap.macports
> Only in exiv2-trunk-old/: ._bootstrap.mxe
> Only in exiv2-trunk-old/: ._CMakeLists.txt
> Only in exiv2-trunk-old/: ._CMake_msvc.txt
> Only in exiv2-trunk-old/config: ._aclocal.m4
> Only in exiv2-trunk-old/config: ._CMakeChecks.txt
> [...]
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
> Only in exiv2-trunk-old/xmpsdk: ._src
> Only in exiv2-trunk-old/: ._xmpsdk
>
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
>
> [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
> [2] http://exiv2.org/download.html
> [3] http://dev.exiv2.org/issues/1299
> [4] https://github.com/Exiv2/exiv2/issues/19
Hi Maxim,
Thanks a lot for the detailed analysis! I've applied the patch with a
slightly adjusted commit message.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Sat, 02 Sep 2017 14:52:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 28326 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Sep 02, 2017 at 01:51:14AM -0400, Maxim Cournoyer wrote:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
Thanks for your investigation!
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
Okay, great!
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Sat, 02 Sep 2017 21:36:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 28326 <at> debbugs.gnu.org (full text, mbox):
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
For the record, as an alternative to the Wayback Machine, you can use:
wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Mon, 04 Sep 2017 13:53:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 28326 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>
>> Looking at what happened at the source obtained through the Wayback
>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>> that:
>
> For the record, as an alternative to the Wayback Machine, you can use:
>
> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
Thanks for the tip! I actually tried to find a way to download that file
from Hydra for the investigation but couldn't figure it out (by using
the Hydra web front-end).
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Mon, 04 Sep 2017 21:52:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 28326 <at> debbugs.gnu.org (full text, mbox):
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
> ludo <at> gnu.org (Ludovic Courtès) writes:
>
>> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>>
>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>
>>> Looking at what happened at the source obtained through the Wayback
>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>> that:
>>
>> For the record, as an alternative to the Wayback Machine, you can use:
>>
>> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>
> Thanks for the tip! I actually tried to find a way to download that file
> from Hydra for the investigation but couldn't figure it out (by using
> the Hydra web front-end).
This URL is implemented by ‘guix publish’:
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html
Not very discoverable I admit!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#28326; Package
guix.
(Mon, 11 Sep 2017 02:48:01 GMT)
Full text and
rfc822 format available.
Message #28 received at 28326 <at> debbugs.gnu.org (full text, mbox):
ludo <at> gnu.org (Ludovic Courtès) writes:
> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>
>> ludo <at> gnu.org (Ludovic Courtès) writes:
>>
>>> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>>>
>>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>>
>>>> Looking at what happened at the source obtained through the Wayback
>>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>>> that:
>>>
>>> For the record, as an alternative to the Wayback Machine, you can use:
>>>
>>> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>
>> Thanks for the tip! I actually tried to find a way to download that file
>> from Hydra for the investigation but couldn't figure it out (by using
>> the Hydra web front-end).
>
> This URL is implemented by ‘guix publish’:
>
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html
>
> Not very discoverable I admit!
>
> Ludo’.
I just (re)read it. Neat! Thanks for the pointer.
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 09 Oct 2017 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 316 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.