Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#29527 - [vicious] bad md5sums

Attached to Project: Community Packages
Opened by Eric Belanger (Snowman) - Wednesday, 18 April 2012, 16:37 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 22 April 2012, 21:28 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

$ makepkg --allsource
==> Making package: vicious 2.0.4-2 (Wed Apr 18 12:36:34 EDT 2012)
==> Retrieving Sources...
-> Downloading vicious-2.0.4.tar.gz...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 39854 0 39854 0 0 82529 0 --:--:-- --:--:-- --:--:-- 135k
==> Validating source files with md5sums...
vicious-2.0.4.tar.gz ... FAILED
==> ERROR: One or more files did not pass the validity check!
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Sunday, 22 April 2012, 21:28 GMT
Reason for closing:  Fixed
Comment by Sébastien Luttringer (seblu) - Wednesday, 18 April 2012, 20:05 GMT
hum. md5sum of upstream is different time to time.

I suspect the gzip header to be autogenerated by sysphere. (and so timstamp to be updated). I already changed it two time before release.

$ diff -u <(hd vicious-2.0.4.tar.gz) <(hd vicious-2.0.4\ \(1\).tar.gz)
--- /proc/self/fd/11 2012-04-18 21:52:54.970674733 +0200
+++ /proc/self/fd/12 2012-04-18 21:52:54.970674733 +0200
@@ -1,4 +1,4 @@
-00000000 1f 8b 08 00 f8 e8 8d 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
+00000000 1f 8b 08 00 d6 1a 8f 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
00000010 92 e6 bc 8e ff 0a 87 5e 24 61 42 91 bc 0f 15 06 |.......^$aB.....|
00000020 8b 2c 29 55 95 33 ba 20 a9 b6 a6 31 68 14 9c 74 |.,)U.3. ...1h..t|
00000030 67 24 3b 23 c8 68 1e 4a 45 3f ec 6f 5f 3b dc 49 |g$;#.h.JE?.o_;.I|

But tarball are the same:
$ gunzip vicious-2.0.4.tar.gz
$ gunzip vicious-2.0.4\ \(1\).tar.gz
$ md5sum vicious-2.0.4*
2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4 (1).tar
2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4.tar

As defined here[1], byte which change are mtime field.


[1]: http://tools.ietf.org/html/rfc1952#page-5
Comment by Adrian C. (anrxc) - Thursday, 19 April 2012, 00:03 GMT
I think Cgit creates a new tarball on each request. I'll look into the manual
or create a static tarball.

Edit: mtime probably changes when the tarball in the Cgit cache expires. So
far not seeing anything useful in the manual or in other Google results.
Asked developers for a workaround, otherwise I must create a dedicated releases
place which are not autogenerated.


Comment by Eric Belanger (Snowman) - Thursday, 19 April 2012, 01:22 GMT
In that case, you probably want to put a tarbal on local ftp (ftp://ftp.archlinux.org/other/community/vicious/) and use that for the package.
Comment by Sébastien Luttringer (seblu) - Thursday, 19 April 2012, 10:39 GMT
Done util, Andrian find a proper way of deliver release tarball.

Loading...