From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#28326: exiv2 0.26 hash mismatch
Date: Sat, 02 Sep 2017 12:34:59 +0200
Message-ID: <87pob9l770.fsf@fastmail.com>
References: <87fuc5wsvh.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45790)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do5mZ-0007GT-9e
	for bug-guix@gnu.org; Sat, 02 Sep 2017 06:36:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do5mU-00087f-CW
	for bug-guix@gnu.org; Sat, 02 Sep 2017 06:36:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:32820)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1do5mU-00086z-4g
	for bug-guix@gnu.org; Sat, 02 Sep 2017 06:36:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1do5mT-00069c-P6
	for bug-guix@gnu.org; Sat, 02 Sep 2017 06:36:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guix@gnu.org
Resent-Message-ID: <handler.28326.D28326.150434850523582.done@debbugs.gnu.org>
In-Reply-To: <87fuc5wsvh.fsf@gmail.com>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>, 28326-done@debbugs.gnu.org

--=-=-=
Content-Type: text/plain

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
>
> On current master, the following happens:
>
> $ guix build exiv2
>
> Starting download of /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
> From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
>
> [...]
>
> sha256 hash mismatch for output path `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
>   expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
>   actual:   1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
>
> 1. The project maintainers updated the MD5 and filesize of the file
> "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
>
> Let's validate those weak MD5 hashes:
>
> $ md5sum exiv2-0.26-trunk.tar.gz  # old one
> f936d2ca5cbe1e18c71ca2baa5e84fb4  exiv2-0.26-trunk.tar.gz
>
> $ md5sum exiv2-0.26-trunk\(1\).tar.gz  # new one
> 5399e3b570d7f9205f0e76d47582da4c  exiv2-0.26-trunk(1).tar.gz
>
> OK, at least the advertized signature validates.
>
> 2. When extracting those two archives and diffing them, we see the changes:
>
> $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
> Only in exiv2-trunk-old/: ._AUTHORS
> Only in exiv2-trunk-old/: ._bootstrap.macports
> Only in exiv2-trunk-old/: ._bootstrap.mxe
> Only in exiv2-trunk-old/: ._CMakeLists.txt
> Only in exiv2-trunk-old/: ._CMake_msvc.txt
> Only in exiv2-trunk-old/config: ._aclocal.m4
> Only in exiv2-trunk-old/config: ._CMakeChecks.txt
> [...]
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
> Only in exiv2-trunk-old/xmpsdk: ._src
> Only in exiv2-trunk-old/: ._xmpsdk
>
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
>
> [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
> [2] http://exiv2.org/download.html
> [3] http://dev.exiv2.org/issues/1299
> [4] https://github.com/Exiv2/exiv2/issues/19

Hi Maxim,

Thanks a lot for the detailed analysis!  I've applied the patch with a
slightly adjusted commit message.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmqiVMACgkQoqBt8qM6
VPqDeQf/RHWWPny569Fg0waHPBp54YIXCo0LXPZfP29cirPAX2uZxY5ptQxlVgf1
E7u4kCckNo6v/50hJtLr/4WIU9vPpi+SmOKSI+y3uX2xpU53Y4cOJxups3dfbiji
cX+xehPuXCZj6eU1BVQArWHC3O2QO4UVKewJ59kZjFnOSZsDS+1rBreMwYOngC6K
r3Pd7ai0Upclq9UppqrPF7Xe9Qxx3W7jczlQiJJFuKbFUopijkMt4KbGuxC93TmF
fHWdZPfUcGfdq5UagqcJLnL00X5orhlbA0ooxpB0VxKcC4O2vtwt3xVMmRtlveXu
nz+8OE74UlQBg+qm2Oka8BotqOQN4w==
=lRJP
-----END PGP SIGNATURE-----
--=-=-=--