* bug#28326: exiv2 0.26 hash mismatch
@ 2017-09-02 5:51 Maxim Cournoyer
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Maxim Cournoyer @ 2017-09-02 5:51 UTC (permalink / raw)
To: 28326
tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.
On current master, the following happens:
$ guix build exiv2
Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
[...]
sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:
1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
Let's validate those weak MD5 hashes:
$ md5sum exiv2-0.26-trunk.tar.gz # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
$ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
OK, at least the advertized signature validates.
2. When extracting those two archives and diffing them, we see the changes:
$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk
A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].
Note: they are moving to Github and in the furure the releases will be
offered directly through Github.
Patch will follow.
[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: [PATCH] Re: bug#28326: Acknowledgement (exiv2 0.26 hash mismatch)
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
@ 2017-09-02 5:57 ` Maxim Cournoyer
0 siblings, 0 replies; 8+ messages in thread
From: Maxim Cournoyer @ 2017-09-02 5:57 UTC (permalink / raw)
To: 28326
[-- Attachment #1: Type: text/plain, Size: 26 bytes --]
Here's the updated hash.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-Update-the-hash-of-the-exiv2-package.patch --]
[-- Type: text/x-patch, Size: 1084 bytes --]
From ea55dd50570e8c16e124cfefe6c7f1cf33e706b3 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sat, 2 Sep 2017 01:45:24 -0400
Subject: [PATCH] gnu: Update the hash of the exiv2 package.
The source archive was updated in place; only a cleanup of non functional
files was done (see: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28326).
* gnu/packages/image.scm (exiv2): Update hash.
---
gnu/packages/image.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index e93248199..503a249a9 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -868,7 +868,7 @@ channels.")
version ".tar.gz")))
(sha256
(base32
- "1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc"))))
+ "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
(build-system gnu-build-system)
(arguments '(#:tests? #f)) ; no `check' target
(propagated-inputs
--
2.13.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-02 5:51 bug#28326: exiv2 0.26 hash mismatch Maxim Cournoyer
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
@ 2017-09-02 10:34 ` Marius Bakke
2017-09-02 14:51 ` Leo Famulari
2017-09-02 21:34 ` Ludovic Courtès
3 siblings, 0 replies; 8+ messages in thread
From: Marius Bakke @ 2017-09-02 10:34 UTC (permalink / raw)
To: Maxim Cournoyer, 28326-done
[-- Attachment #1: Type: text/plain, Size: 2686 bytes --]
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
>
> On current master, the following happens:
>
> $ guix build exiv2
>
> Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
> From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
>
> [...]
>
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
>
> 1. The project maintainers updated the MD5 and filesize of the file
> "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
>
> Let's validate those weak MD5 hashes:
>
> $ md5sum exiv2-0.26-trunk.tar.gz # old one
> f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
>
> $ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
> 5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
>
> OK, at least the advertized signature validates.
>
> 2. When extracting those two archives and diffing them, we see the changes:
>
> $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
> Only in exiv2-trunk-old/: ._AUTHORS
> Only in exiv2-trunk-old/: ._bootstrap.macports
> Only in exiv2-trunk-old/: ._bootstrap.mxe
> Only in exiv2-trunk-old/: ._CMakeLists.txt
> Only in exiv2-trunk-old/: ._CMake_msvc.txt
> Only in exiv2-trunk-old/config: ._aclocal.m4
> Only in exiv2-trunk-old/config: ._CMakeChecks.txt
> [...]
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
> Only in exiv2-trunk-old/xmpsdk: ._src
> Only in exiv2-trunk-old/: ._xmpsdk
>
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
>
> [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
> [2] http://exiv2.org/download.html
> [3] http://dev.exiv2.org/issues/1299
> [4] https://github.com/Exiv2/exiv2/issues/19
Hi Maxim,
Thanks a lot for the detailed analysis! I've applied the patch with a
slightly adjusted commit message.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-02 5:51 bug#28326: exiv2 0.26 hash mismatch Maxim Cournoyer
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
2017-09-02 10:34 ` bug#28326: exiv2 0.26 hash mismatch Marius Bakke
@ 2017-09-02 14:51 ` Leo Famulari
2017-09-02 21:34 ` Ludovic Courtès
3 siblings, 0 replies; 8+ messages in thread
From: Leo Famulari @ 2017-09-02 14:51 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 28326
[-- Attachment #1: Type: text/plain, Size: 577 bytes --]
On Sat, Sep 02, 2017 at 01:51:14AM -0400, Maxim Cournoyer wrote:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
Thanks for your investigation!
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
Okay, great!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-02 5:51 bug#28326: exiv2 0.26 hash mismatch Maxim Cournoyer
` (2 preceding siblings ...)
2017-09-02 14:51 ` Leo Famulari
@ 2017-09-02 21:34 ` Ludovic Courtès
2017-09-04 13:52 ` Maxim Cournoyer
3 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2017-09-02 21:34 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 28326
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
For the record, as an alternative to the Wayback Machine, you can use:
wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-02 21:34 ` Ludovic Courtès
@ 2017-09-04 13:52 ` Maxim Cournoyer
2017-09-04 21:51 ` Ludovic Courtès
0 siblings, 1 reply; 8+ messages in thread
From: Maxim Cournoyer @ 2017-09-04 13:52 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 28326
ludo@gnu.org (Ludovic Courtès) writes:
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>
>> Looking at what happened at the source obtained through the Wayback
>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>> that:
>
> For the record, as an alternative to the Wayback Machine, you can use:
>
> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
Thanks for the tip! I actually tried to find a way to download that file
from Hydra for the investigation but couldn't figure it out (by using
the Hydra web front-end).
Maxim
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-04 13:52 ` Maxim Cournoyer
@ 2017-09-04 21:51 ` Ludovic Courtès
2017-09-11 2:47 ` Maxim Cournoyer
0 siblings, 1 reply; 8+ messages in thread
From: Ludovic Courtès @ 2017-09-04 21:51 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 28326
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>>
>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>
>>> Looking at what happened at the source obtained through the Wayback
>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>> that:
>>
>> For the record, as an alternative to the Wayback Machine, you can use:
>>
>> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>
> Thanks for the tip! I actually tried to find a way to download that file
> from Hydra for the investigation but couldn't figure it out (by using
> the Hydra web front-end).
This URL is implemented by ‘guix publish’:
https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html
Not very discoverable I admit!
Ludo’.
^ permalink raw reply [flat|nested] 8+ messages in thread
* bug#28326: exiv2 0.26 hash mismatch
2017-09-04 21:51 ` Ludovic Courtès
@ 2017-09-11 2:47 ` Maxim Cournoyer
0 siblings, 0 replies; 8+ messages in thread
From: Maxim Cournoyer @ 2017-09-11 2:47 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 28326
ludo@gnu.org (Ludovic Courtès) writes:
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>>>
>>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>>> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>>> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>>
>>>> Looking at what happened at the source obtained through the Wayback
>>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>>> that:
>>>
>>> For the record, as an alternative to the Wayback Machine, you can use:
>>>
>>> wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>
>> Thanks for the tip! I actually tried to find a way to download that file
>> from Hydra for the investigation but couldn't figure it out (by using
>> the Hydra web front-end).
>
> This URL is implemented by ‘guix publish’:
>
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html
>
> Not very discoverable I admit!
>
> Ludo’.
I just (re)read it. Neat! Thanks for the pointer.
Maxim
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-09-11 2:48 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-02 5:51 bug#28326: exiv2 0.26 hash mismatch Maxim Cournoyer
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
2017-09-02 5:57 ` bug#28326: [PATCH] Re: bug#28326: Acknowledgement (exiv2 0.26 hash mismatch) Maxim Cournoyer
2017-09-02 10:34 ` bug#28326: exiv2 0.26 hash mismatch Marius Bakke
2017-09-02 14:51 ` Leo Famulari
2017-09-02 21:34 ` Ludovic Courtès
2017-09-04 13:52 ` Maxim Cournoyer
2017-09-04 21:51 ` Ludovic Courtès
2017-09-11 2:47 ` Maxim Cournoyer
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.