--- Begin Message ---
|
Subject: |
exiv2 0.26 hash mismatch |
|
Date: |
Sat, 02 Sep 2017 01:51:14 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
tl;dr: exiv2 source archive was updated in-place and the verification
below gives us confidence that we can safely update the hash.
On current master, the following happens:
$ guix build exiv2
Starting download of
/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
>From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
[...]
sha256 hash mismatch for output path
`/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
Looking at what happened at the source obtained through the Wayback
Machine at the time it was last updated in Guix[1] compared to now[2], we see
that:
1. The project maintainers updated the MD5 and filesize of the file
"exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
Let's validate those weak MD5 hashes:
$ md5sum exiv2-0.26-trunk.tar.gz # old one
f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
$ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
OK, at least the advertized signature validates.
2. When extracting those two archives and diffing them, we see the changes:
$ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
Only in exiv2-trunk-old/: ._AUTHORS
Only in exiv2-trunk-old/: ._bootstrap.macports
Only in exiv2-trunk-old/: ._bootstrap.mxe
Only in exiv2-trunk-old/: ._CMakeLists.txt
Only in exiv2-trunk-old/: ._CMake_msvc.txt
Only in exiv2-trunk-old/config: ._aclocal.m4
Only in exiv2-trunk-old/config: ._CMakeChecks.txt
[...]
Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
Only in exiv2-trunk-old/xmpsdk: ._src
Only in exiv2-trunk-old/: ._xmpsdk
A pretty harmless cleanup. Still, the practice of updating a release in
place is not very good... Upon further digging, the issue was already
reported and discussed[3][4].
Note: they are moving to Github and in the furure the releases will be
offered directly through Github.
Patch will follow.
[1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
[2] http://exiv2.org/download.html
[3] http://dev.exiv2.org/issues/1299
[4] https://github.com/Exiv2/exiv2/issues/19
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: bug#28326: exiv2 0.26 hash mismatch |
|
Date: |
Sat, 02 Sep 2017 12:34:59 +0200 |
|
User-agent: |
Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) |
Maxim Cournoyer <address@hidden> writes:
> tl;dr: exiv2 source archive was updated in-place and the verification
> below gives us confidence that we can safely update the hash.
>
> On current master, the following happens:
>
> $ guix build exiv2
>
> Starting download of
> /gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz
> From http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz...
>
> [...]
>
> sha256 hash mismatch for output path
> `/gnu/store/jcapi6vk4a14hch5jgsh5zps958g91sb-exiv2-0.26-trunk.tar.gz'
> expected: 1hsdzlzgkipprqh93yj81mrckl2l7c2mn2i84691pallnjz5qqhc
> actual: 1yza317qxd8yshvqnay164imm0ks7cvij8y8j86p1gqi1153qpn7
>
> Looking at what happened at the source obtained through the Wayback
> Machine at the time it was last updated in Guix[1] compared to now[2], we see
> that:
>
> 1. The project maintainers updated the MD5 and filesize of the file
> "exiv2-0.26-trunk.tar.gz", which name and URL remained unchanged.
>
> Let's validate those weak MD5 hashes:
>
> $ md5sum exiv2-0.26-trunk.tar.gz # old one
> f936d2ca5cbe1e18c71ca2baa5e84fb4 exiv2-0.26-trunk.tar.gz
>
> $ md5sum exiv2-0.26-trunk\(1\).tar.gz # new one
> 5399e3b570d7f9205f0e76d47582da4c exiv2-0.26-trunk(1).tar.gz
>
> OK, at least the advertized signature validates.
>
> 2. When extracting those two archives and diffing them, we see the changes:
>
> $ diff -ur exiv2-trunk-old/ exiv2-trunk-new/
> Only in exiv2-trunk-old/: ._AUTHORS
> Only in exiv2-trunk-old/: ._bootstrap.macports
> Only in exiv2-trunk-old/: ._bootstrap.mxe
> Only in exiv2-trunk-old/: ._CMakeLists.txt
> Only in exiv2-trunk-old/: ._CMake_msvc.txt
> Only in exiv2-trunk-old/config: ._aclocal.m4
> Only in exiv2-trunk-old/config: ._CMakeChecks.txt
> [...]
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPMeta-Serialize.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils-FileInfo.cpp
> Only in exiv2-trunk-old/xmpsdk/src: ._XMPUtils.hpp
> Only in exiv2-trunk-old/xmpsdk: ._src
> Only in exiv2-trunk-old/: ._xmpsdk
>
> A pretty harmless cleanup. Still, the practice of updating a release in
> place is not very good... Upon further digging, the issue was already
> reported and discussed[3][4].
>
> Note: they are moving to Github and in the furure the releases will be
> offered directly through Github.
>
> Patch will follow.
>
> [1] https://web.archive.org/web/20170606065325/http://exiv2.org/download.html
> [2] http://exiv2.org/download.html
> [3] http://dev.exiv2.org/issues/1299
> [4] https://github.com/Exiv2/exiv2/issues/19
Hi Maxim,
Thanks a lot for the detailed analysis! I've applied the patch with a
slightly adjusted commit message.
signature.asc
Description: PGP signature
--- End Message ---