Maxim Cournoyer writes: > tl;dr: exiv2 source archive was updated in-place and the verification > below gives us confidence that we can safely update the hash. > > On current master, the following happens: > > $ guix build exiv2 > > Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz > From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz... > > [...] > > sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz' > expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc > actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7 > > Looking at what happened at the source obtained through the Wayback > Machine at the time it was last updated in Guix[1] compared to now[2], we see > that: > > 1. The project maintainers updated the MD5 and filesize of the file > "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged. > > Let's validate those weak MD5 hashes: > > $ md5sum exiv2-0.26-trunk.tar.gz # old one > f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz > > $ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one > 5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz > > OK, at least the advertized signature validates. > > 2. When extracting those two archives and diffing them, we see the changes: > > $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/ > Only in exiv2-trunk-old/: ._AUTHORS > Only in exiv2-trunk-old/: ._bootstrap.macports > Only in exiv2-trunk-old/: ._bootstrap.mxe > Only in exiv2-trunk-old/: ._CMakeLists.txt > Only in exiv2-trunk-old/: ._CMake_msvc.txt > Only in exiv2-trunk-old/config: ._aclocal.m4 > Only in exiv2-trunk-old/config: ._CMakeChecks.txt > [...] > Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp > Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp > Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp > Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp > Only in exiv2-trunk-old/xmpsdk: ._src > Only in exiv2-trunk-old/: ._xmpsdk > > A pretty harmless cleanup. Still, the practice of updating a release in > place is not very good... Upon further digging, the issue was already > reported and discussed[3][4]. > > Note: they are moving to Github and in the furure the releases will be > offered directly through Github. > > Patch will follow. > > [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html > [2] http://exiv2.org/download.html > [3] http://dev.exiv2.org/issues/1299 > [4] https://github.com/Exiv2/exiv2/issues/19 Hi Maxim, Thanks a lot for the detailed analysis! I've applied the patch with a slightly adjusted commit message.