From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 28326@debbugs.gnu.org
Subject: bug#28326: exiv2 0.26 hash mismatch
Date: Sat, 02 Sep 2017 01:51:14 -0400 [thread overview]
Message-ID: <87fuc5wsvh.fsf@gmail.com> (raw)
tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.
On current master, the following happens:
$ guix build exiv2
Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
[...]
sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:
1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
Let's validate those weak MD5 hashes:
$ md5sum exiv2-0.26-trunk.tar.gz # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
$ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
OK, at least the advertized signature validates.
2. When extracting those two archives and diffing them, we see the changes:
$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk
A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].
Note: they are moving to Github and in the furure the releases will be
offered directly through Github.
Patch will follow.
[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19
next reply other threads:[~2017-09-02 5:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-02 5:51 Maxim Cournoyer [this message]
[not found] ` <handler.28326.B.150433150430923.ack@debbugs.gnu.org>
2017-09-02 5:57 ` bug#28326: [PATCH] Re: bug#28326: Acknowledgement (exiv2 0.26 hash mismatch) Maxim Cournoyer
2017-09-02 10:34 ` bug#28326: exiv2 0.26 hash mismatch Marius Bakke
2017-09-02 14:51 ` Leo Famulari
2017-09-02 21:34 ` Ludovic Courtès
2017-09-04 13:52 ` Maxim Cournoyer
2017-09-04 21:51 ` Ludovic Courtès
2017-09-11 2:47 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fuc5wsvh.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=28326@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.