bug#28326: exiv2 0.26 hash mismatch

bug#28326: exiv2 0.26 hash mismatch

[Maxim Cournoyer]

tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.

On current master, the following happens:

$ guix build exiv2

Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...

[...]

sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
  expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
  actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7

Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:

1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.

Let's validate those weak MD5 hashes:

$ md5sum exiv2-0.26-trunk.tar.gz  # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4  exiv2-0.26-trunk.tar.gz

$ md5sum exiv2-0.26-trunk\(1\).tar.gz  # new one
5399e3b570d7f9205f0e76d47582da4c  exiv2-0.26-trunk(1).tar.gz

OK, at least the advertized signature validates.

2. When extracting those two archives and diffing them, we see the changes:

$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk

A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].

Note: they are moving to Github and in the furure the releases will be
offered directly through Github.

Patch will follow.

[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19

bug#28326: [PATCH] Re: bug#28326: Acknowledgement (exiv2 0.26 hash mismatch)

[Maxim Cournoyer]

[-- Attachment #1: Type: text/plain, Size: 26 bytes --]

Here's the updated hash.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-Update-the-hash-of-the-exiv2-package.patch --]
[-- Type: text/x-patch, Size: 1084 bytes --]

From ea55dd50570e8c16e124cfefe6c7f1cf33e706b3 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Sat, 2 Sep 2017 01:45:24 -0400
Subject: [PATCH] gnu: Update the hash of the exiv2 package.

The source archive was updated in place; only a cleanup of non functional
files was done (see: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28326).

* gnu/packages/image.scm (exiv2): Update hash.
---
 gnu/packages/image.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index e93248199..503a249a9 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -868,7 +868,7 @@ channels.")
                                        version ".tar.gz")))
              (sha256
               (base32
-               "1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc"))))
+               "1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7"))))
     (build-system gnu-build-system)
     (arguments '(#:tests? #f))                    ; no `check' target
     (propagated-inputs
-- 
2.13.1

bug#28326: exiv2 0.26 hash mismatch

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 2686 bytes --]

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
>
> On current master, the following happens:
>
> $ guix build exiv2
>
> Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
> From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
>
> [...]
>
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
>
> 1. The project maintainers updated the MD5 and filesize of the file
> "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
>
> Let's validate those weak MD5 hashes:
>
> $ md5sum exiv2-0.26-trunk.tar.gz  # old one
> f936d2ca5cbe1e18c71ca2baa5e84fb4  exiv2-0.26-trunk.tar.gz
>
> $ md5sum exiv2-0.26-trunk\(1\).tar.gz  # new one
> 5399e3b570d7f9205f0e76d47582da4c  exiv2-0.26-trunk(1).tar.gz
>
> OK, at least the advertized signature validates.
>
> 2. When extracting those two archives and diffing them, we see the changes:
>
> $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
> Only in exiv2-trunk-old/: ._AUTHORS
> Only in exiv2-trunk-old/: ._bootstrap.macports
> Only in exiv2-trunk-old/: ._bootstrap.mxe
> Only in exiv2-trunk-old/: ._CMakeLists.txt
> Only in exiv2-trunk-old/: ._CMake_msvc.txt
> Only in exiv2-trunk-old/config: ._aclocal.m4
> Only in exiv2-trunk-old/config: ._CMakeChecks.txt
> [...]
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
> Only in exiv2-trunk-old/xmpsdk: ._src
> Only in exiv2-trunk-old/: ._xmpsdk
>
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
>
> [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
> [2] http://exiv2.org/download.html
> [3] http://dev.exiv2.org/issues/1299
> [4] https://github.com/Exiv2/exiv2/issues/19

Hi Maxim,

Thanks a lot for the detailed analysis!  I've applied the patch with a
slightly adjusted commit message.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

bug#28326: exiv2 0.26 hash mismatch

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

On Sat, Sep 02, 2017 at 01:51:14AM -0400, Maxim Cournoyer wrote:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.

Thanks for your investigation!

> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
> 
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
> 
> Patch will follow.

Okay, great!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#28326: exiv2 0.26 hash mismatch

[Ludovic Courtès]

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:

For the record, as an alternative to the Wayback Machine, you can use:

  wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc

Ludo’.

bug#28326: exiv2 0.26 hash mismatch

[Maxim Cournoyer]

ludo@gnu.org (Ludovic Courtès) writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>
>> Looking at what happened at the source obtained through the Wayback
>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>> that:
>
> For the record, as an alternative to the Wayback Machine, you can use:
>
>   wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc

Thanks for the tip! I actually tried to find a way to download that file
from Hydra for the investigation but couldn't figure it out (by using
the Hydra web front-end).

Maxim

bug#28326: exiv2 0.26 hash mismatch

[Ludovic Courtès]

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>>
>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>
>>> Looking at what happened at the source obtained through the Wayback
>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>> that:
>>
>> For the record, as an alternative to the Wayback Machine, you can use:
>>
>>   wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>
> Thanks for the tip! I actually tried to find a way to download that file
> from Hydra for the investigation but couldn't figure it out (by using
> the Hydra web front-end).

This URL is implemented by ‘guix publish’:

  https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html

Not very discoverable I admit!

Ludo’.

bug#28326: exiv2 0.26 hash mismatch

[Maxim Cournoyer]

ludo@gnu.org (Ludovic Courtès) writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> ludo@gnu.org (Ludovic Courtès) writes:
>>
>>> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>>>
>>>> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>>>>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>>>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>>>>
>>>> Looking at what happened at the source obtained through the Wayback
>>>> Machine at the time it was last updated in Guix[1] compared to now[2], we see
>>>> that:
>>>
>>> For the record, as an alternative to the Wayback Machine, you can use:
>>>
>>>   wget https://mirror.hydra.gnu.org/file/exiv2-0.26-trunk.tar.gz/sha256/1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>>
>> Thanks for the tip! I actually tried to find a way to download that file
>> from Hydra for the investigation but couldn't figure it out (by using
>> the Hydra web front-end).
>
> This URL is implemented by ‘guix publish’:
>
>   https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-publish.html
>
> Not very discoverable I admit!
>
> Ludo’.

I just (re)read it. Neat! Thanks for the pointer.

Maxim