From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: gzip-1.7.tar.gz hash mismatch on core-updates Date: Fri, 8 Apr 2016 09:20:22 +0300 Message-ID: <20160408062022.GB29363@debian-netbook> References: <87fuux6pba.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38222) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aoPmP-0007Qm-Vm for guix-devel@gnu.org; Fri, 08 Apr 2016 02:20:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aoPmM-00055N-IO for guix-devel@gnu.org; Fri, 08 Apr 2016 02:20:29 -0400 Content-Disposition: inline In-Reply-To: <87fuux6pba.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: Guix-devel --K8nIJk4ghYZn606h Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 08, 2016 at 12:12:41AM +0200, Ludovic Court=C3=A8s wrote: > Hi! >=20 > Commit ea5d388257664d703df23cf3eb0da7b6546d6c42 updates gzip to 1.7. > Its specified SHA256 is: >=20 > 1as1ddq58spflzz5kxm0ni0xfpswrkkrncjpxyb3aw77gizcacgv >=20 > However, when downloading right now, I get a different hash: >=20 > --8<---------------cut here---------------start------------->8--- > $ guix download mirror://gnu/gzip/gzip-1.7.tar.gz >=20 > Starting download of /tmp/guix-file.EtGdvV > From http://ftpmirror.gnu.org/gzip/gzip-1.7.tar.gz... > following redirection to `http://mirror1.babylon.network/gnu/gzip/gzip-1.= 7.tar.gz'... > gzip-1.7.tar.gz 1.1MiB 740KiB/s 00:02 [####################]= 100.0% > /gnu/store/81229hs4j6yyk2hraka505rjp41b9nrs-gzip-1.7.tar.gz > 010rjpxh2vg3qfzph9lx7a35gfs5imkg2mkri26620bqihbsmjzc > $ guix download mirror://gnu/gzip/gzip-1.7.tar.gz.sig >=20 > Starting download of /tmp/guix-file.jK41ds > From http://ftpmirror.gnu.org/gzip/gzip-1.7.tar.gz.sig... > following redirection to `http://mirror.ibcp.fr/pub/gnu/gzip/gzip-1.7.tar= =2Egz.sig'... > gzip-1.7.tar.gz.sig 801B 2.1MiB/s 00:00 [####################]= 100.0% > /gnu/store/r511bm51719l80j1xijflmyfyd3691pd-gzip-1.7.tar.gz.sig > 03j0bcydran7fas42sm1lxf09qcjwp4c2y9rzp42zj088mx6s32b > $ gpg --verify /gnu/store/r511bm51719l80j1xijflmyfyd3691pd-gzip-1.7.tar.g= z.sig /gnu/store/81229hs4j6yyk2hraka505rjp41b9nrs-gzip-1.7.tar.gz > gpg: Signature made Mon 28 Mar 2016 06:05:12 AM CEST using RSA key ID 000= BEEEE > gpg: Good signature from "Jim Meyering " [full] > gpg: aka "Jim Meyering " [full] > gpg: aka "Jim Meyering " [undefined] > --8<---------------cut here---------------end--------------->8--- >=20 > Could you check if you have a copy of gzip-1.7.tar.gz with the hash > that=E2=80=99s in the repo (using =E2=80=98guix build -S gzip=E2=80=99 in= =E2=80=98core-updates=E2=80=99) and if > so, send the diff? >=20 > (I=E2=80=99d like to know if it=E2=80=99s a mistake or if gzip-1.7.tar.gz= has been > modified in place on ftp.gnu.org.) >=20 > Thanks in advance. :-) >=20 > Ludo=E2=80=99. efraim@debian-netbook:~/workspace/guix$ guix import gnu gzip Starting download of /tmp/guix-file.EhzyfG =46rom ftp://ftp.gnu.org/gnu/gzip/gzip-1.7.tar.xz... gzip-1.7.tar.xz 746KiB 554KiB/s 00:01 [####################] 100.0% Starting download of /tmp/guix-file.4OjzCw From ftp://ftp.gnu.org/gnu/gzip/gzip-1.7.tar.xz.sig... gzip-1.7.tar.xz.sig 801B 83KiB/s 00:00 [####################] 100.0% gpg: Signature made Mon 28 Mar 2016 07:05:12 AM IDT using RSA key ID 000BEEEE gpg: Good signature from "Jim Meyering " [undefined] gpg: aka "Jim Meyering " [undefined] gpg: aka "Jim Meyering " [undefined] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 155D 3FC5 00C8 3448 6D1E EA67 7FD9 FCCB 000B EE= EE (package (name "gzip") (version "1.7") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/gzip/gzip-" version ".tar.xz")) (sha256 (base32 "1as1ddq58spflzz5kxm0ni0xfpswrkkrncjpxyb3aw77gizcacgv")))) =2E.. It looks like `guix import gnu gzip` downloaded the .tar.xz copy, and that it also added it to the store, so when I built it the tarball was already in the store and I didn't notice that I forgot to change it from =2Etar.gz to .tar.xz. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --K8nIJk4ghYZn606h Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXB02jAAoJEPTB05F+rO6T9i4QAInCJPMJHCdBAitIiJq+kfPh x+Tplr5JLT9fxEsSSXEDXdgiWu+8/Vh8wpp0f3Kfc5ZxvL0tXAIaRWkSlvFFff5/ C+jT5BCFwI3NenOXZN3I2nfywea31J3+JGuyTji2d/l7Hdbab9gwDnNnYIrT+hsk vKkHm/qkB4SodYaK3oT+G/26xjFGhvoz3QiTEsOYoDo5vwNsLsd646H7UWjMQtAZ CwBGsip90jJlgIEBxRDoDBN0JuB4plAkXs83LxqclJoysqnFBuOtTGH4p+Z5ofCe /jYPPW5vnsROd56djBzWlxjpxycWmRGLi9CCafL5O2vU4UYLttmNiRXY0jf7HYiK g6QIdGvIt+nuI/jfCqvKzRoFkSUI7EK4rezKzXGv44L7R4cwj+9J9P2qOvJ84vnV izRNuRRm4002MaYTmN8B62FsT9bs8ajWSioDqiEmGPh4y6LbESvyb6th117u3rlp TT0KVZWlx4p+7n/uQlIqCbcI5+Lf4PygFXJOrWndGt9LlpPW3bkMvNR+CCOkGR5B HEwHP4evLcVlvq0yY3bFksuSch5mgRfiGxBbrfa6iScsIUmgDPAy5GJhiqxo8blD 6sr3wlnugi0pqKlOu6zJHRFG++wl5Cr8nlSOmgQoAKbbUSuMkRNNa1m7Q+6af3EU IAizQ99QQLJXKlffgHyf =WVGl -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h--