From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: mismatch of source tar ball hash Date: Mon, 29 Oct 2018 21:00:14 -0400 Message-ID: <20181030010014.GA17436@jasmine.lan> References: <20181028122333.063da88d@jasniac.instanton> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39691) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gHIOX-0005va-V0 for guix-devel@gnu.org; Mon, 29 Oct 2018 21:00:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gHIOR-0003Qx-Kc for guix-devel@gnu.org; Mon, 29 Oct 2018 21:00:33 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:47323) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gHIOO-0003LS-CQ for guix-devel@gnu.org; Mon, 29 Oct 2018 21:00:25 -0400 Content-Disposition: inline In-Reply-To: <20181028122333.063da88d@jasniac.instanton> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marco van Hulten Cc: guix-devel@gnu.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 28, 2018 at 12:23:33PM +0100, Marco van Hulten wrote: > substitution of /gnu/store/a77ap0vw0fnsz138paby8w55rlcd58zi-calcurse-4.3.= 0 failed > building /gnu/store/ya1v2nv0mq8dzkcik64inlyxxk3skz3h-calcurse-4.3.0.tar.g= z.drv... > downloading from http://calcurse.org/files/calcurse-4.3.0.tar.gz... > sha256 hash mismatch for /gnu/store/873m2xbqxndbhcdfrngpsj7cwflm48d0-calc= urse-4.3.0.tar.gz: > expected hash: 16jzg0nasnxdlz23i121x41pq5kbxmjzk52c5d863rg117fc7v1i > actual hash: 11q0r4dbi8vca22x3q1ad07nr1gs4y17cgnplbjzmmz9r9x0h8m2 > build of /gnu/store/ya1v2nv0mq8dzkcik64inlyxxk3skz3h-calcurse-4.3.0.tar.g= z.drv failed > View build log at '/var/log/guix/drvs/ya/1v2nv0mq8dzkcik64inlyxxk3skz3h-c= alcurse-4.3.0.tar.gz.drv.bz2'. > \guix package: error: build failed: build of `/gnu/store/r44sbjgn7gxwl3nx= vlnq6946zc05xq0f-profile.drv' failed Fixed by commit a2717e698619fed3204db978f954a1195e1d2b4b, which makes Guix download the source code over HTTPS, since is no longer available over HTTP. Here is how I debugged it: First, I tried downloading the source code, avoiding substitutes because I still have the source code on my mirror: ------ $ guix build --source calcurse --no-substitutes The following derivation will be built: =20 /gnu/store/ya1v2nv0mq8dzkcik64inlyxxk3skz3h-calcurse-4.3.0.tar.gz.drv building /gnu/store/ya1v2nv0mq8dzkcik64inlyxxk3skz3h-calcurse-4.3.0.tar.gz.= drv... Starting download of /gnu/store/873m2xbqxndbhcdfrngpsj7cwflm48d0-calcurse-4= =2E3.0.tar.gz =46rom http://calcurse.org/files/calcurse-4.3.0.tar.gz... following redirection to `https://calcurse.org'... downloading from http://calcurse.org/files/calcurse-4.3.0.tar.gz... calcurse-4.3.0.tar.gz 6KiB = = 7.9MiB/s 00:00 [##################] 100.0% sha256 hash mismatch for /gnu/store/873m2xbqxndbhcdfrngpsj7cwflm48d0-calcur= se-4.3.0.tar.gz: expected hash: 16jzg0nasnxdlz23i121x41pq5kbxmjzk52c5d863rg117fc7v1i actual hash: 11q0r4dbi8vca22x3q1ad07nr1gs4y17cgnplbjzmmz9r9x0h8m2 hash mismatch for store item '/gnu/store/873m2xbqxndbhcdfrngpsj7cwflm48d0-c= alcurse-4.3.0.tar.gz' build of /gnu/store/ya1v2nv0mq8dzkcik64inlyxxk3skz3h-calcurse-4.3.0.tar.gz.= drv failed View build log at '/var/log/guix/drvs/ya/1v2nv0mq8dzkcik64inlyxxk3skz3h-cal= curse-4.3.0.tar.gz.drv.bz2'. guix build: error: build failed: build of `/gnu/store/ya1v2nv0mq8dzkcik64in= lyxxk3skz3h-calcurse-4.3.0.tar.gz.drv' failed ------ Then, I downloaded the file in question and examined it: ------ $ guix download http://calcurse.org/files/calcurse-4.3.0.tar.gz Starting download of /tmp/guix-file.nEHs4A =46rom http://calcurse.org/files/calcurse-4.3.0.tar.gz... following redirection to `https://calcurse.org'... =E2=80=A6.3.0.tar.gz 6KiB = = 11.2MiB/s 00:00 [##################] 100.0% /gnu/store/fr962qdmzziwjwngdm8a70pdkaai72mp-calcurse-4.3.0.tar.gz 11q0r4dbi8vca22x3q1ad07nr1gs4y17cgnplbjzmmz9r9x0h8m2 $ file /gnu/store/fr962qdmzziwjwngdm8a70pdkaai72mp-calcurse-4.3.0.tar.gz /gnu/store/fr962qdmzziwjwngdm8a70pdkaai72mp-calcurse-4.3.0.tar.gz: HTML doc= ument, ASCII text $ head --lines 10 /gnu/store/fr962qdmzziwjwngdm8a70pdkaai72mp-calcurse-4.3.= 0.tar.gz calcurse.org ------ So, we see that we are actually getting an HTML file (their homepage), rather than a tarball. Looking back to the original error message, we can see some suspicious redirections, from HTTP to HTTPS and then back to HTTP. This was my first clue that we were not going to download what we expected, because its rare to configure a webserver to downgrade from HTTPS to HTTP in 2018. =46rom there, I made an educated guess that had enabled HSTS, and that we simply needed to adjust our download URL. [0] https://www.gnu.org/software/guix/manual/en/html_node/Building-from-Git.html --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvXrR0ACgkQJkb6MLrK fwg0BQ//RXzAhFY0oTQxhQW712kzkKIaVODRWp4MW7S8p2m8s6K1w0eShm3Q4fRO MMs7yheOAWszSe/evwD/Qbos3vKuHIAIEtdhA/c8+I3le4KGK6/j2H9917LUB3RA yThsuuYhN4wIzDGvKcKj5dZxgCQi+5wIO4qPDT4xZEXUao6p/KkBHAyQ5HwFAb+Q E7jVHIby1TWrRl4Hs8dDyCf0mfrhyQyFgUHY94/fWx5UgLuKKxQjtRbNFSQF3+L7 nDXJvXHElbKJNt5PCmVK5Jw6P2WdBl0tkXtmyUwZC/rt8YRQ3mNG6Xn/4je9ngpD 0H5VnN8DkX5glfkindBBXCvLBYIFs/cwC5rGKPe/XIuIiT+SMfD1i2PeiKa0RkgJ AylwgjDypEL6+RqLhc0zXraqTfDjp1UKQM/LvV23UVhiW93iKg3cBuu+1Rimwu/j iaFnLgWZRNmKKjufXYwak90u7p/n/4vKyQdz198E4buu82EYERO30H96JTH85X8p QjhVWY09Lpr0DbmgUQErPCpaiQwHw5ftU6855K5JCT/Pm83ERqyphvIdMZNwXaDA Z5fXDYF/oiUWNYSzfMjFDs2vxOd4Bkyp74JyYiLQlObMvE9150CMnSf1tuO1yeqO 6A61FOEg3yv2mog0QL2E15SLBds3cNPmAQgu9EOttP6an1I2qVM= =ZCh3 -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ--