From mboxrd@z Thu Jan  1 00:00:00 1970
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: bug#28326: exiv2 0.26 hash mismatch
Date: Sat, 02 Sep 2017 01:51:14 -0400
Message-ID: <87fuc5wsvh.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59487)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do1Lk-0005Qw-Rg
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:52:13 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do1Lg-0005bX-0U
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:52:08 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:60723)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1do1Lf-0005bF-TK
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:52:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do1Lf-00083K-L8
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:52:03 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.28326.B.150433150430923@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59080)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <maxim.cournoyer@gmail.com>) id 1do1L0-0005IA-Dj
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:51:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <maxim.cournoyer@gmail.com>) id 1do1Kv-0004er-Gs
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:51:22 -0400
Received: from mail-it0-x231.google.com ([2607:f8b0:4001:c0b::231]:37800)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <maxim.cournoyer@gmail.com>)
	id 1do1Kv-0004dX-B2
	for bug-guix@gnu.org; Sat, 02 Sep 2017 01:51:17 -0400
Received: by mail-it0-x231.google.com with SMTP id k189so666720itk.0
	for <bug-guix@gnu.org>; Fri, 01 Sep 2017 22:51:17 -0700 (PDT)
Received: from apteryx ([45.72.233.254]) by smtp.gmail.com with ESMTPSA id
	f140sm1031718ioe.27.2017.09.01.22.51.15 for <bug-guix@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 01 Sep 2017 22:51:15 -0700 (PDT)
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 28326@debbugs.gnu.org

tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.

On current master, the following happens:

$ guix build exiv2

Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
>From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...

[...]

sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
  expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
  actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7

Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:

1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.

Let's validate those weak MD5 hashes:

$ md5sum exiv2-0.26-trunk.tar.gz  # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4  exiv2-0.26-trunk.tar.gz

$ md5sum exiv2-0.26-trunk\(1\).tar.gz  # new one
5399e3b570d7f9205f0e76d47582da4c  exiv2-0.26-trunk(1).tar.gz

OK, at least the advertized signature validates.

2. When extracting those two archives and diffing them, we see the changes:

$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk

A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].

Note: they are moving to Github and in the furure the releases will be
offered directly through Github.

Patch will follow.

[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19