FS#64145 - Corrupted package in Arch Linux Archive not updated
Attached to Project:
Arch Linux
Opened by David (dlo9) - Wednesday, 16 October 2019, 06:28 GMT
Last edited by Florian Pritz (bluewind) - Friday, 18 October 2019, 18:18 GMT
Opened by David (dlo9) - Wednesday, 16 October 2019, 06:28 GMT
Last edited by Florian Pritz (bluewind) - Friday, 18 October 2019, 18:18 GMT
|
Details
As indicated by [this forum
thread](https://bbs.archlinux.org/viewtopic.php?id=248827),
the zbar-0.23-1 package was at some point corrupted, but
then quickly fixed (without a pkgrel bump). The fixed
package is what currently exists on all sync'd mirrors.
However, the broken package is the only instance of
zbar-0.23 available anywhere on the Arch Linux Archive
(ALA), resulting in installation errors for anyone using
that as a mirror (in particular, for a reproducible build
I'm doing).
Installing from the ALA results in the following error (some output removed): ``` pacman -S --debug --noconfirm zbar ``` ``` :: Retrieving packages... debug: url: https://archive.archlinux.org/repos/2019/10/14/extra/os/x86_64/zbar-0.23-1-x86_64.pkg.tar.xz debug: maxsize: 164396 debug: opened tempfile for download: /tmp/pacman/pkg/zbar-0.23-1-x86_64.pkg.tar.xz.part (wb) downloading zbar-0.23-1-x86_64.pkg.tar.xz... debug: curl returned error 0 from transfer debug: response code: 200 debug: using cachedir: /tmp/pacman/pkg/ checking keyring... debug: GPGME version: 1.13.1 debug: GPGME engine info: file=/usr/bin/gpg, home=/etc/pacman.d/gnupg/ debug: looking up key 786C63F330D7CB92 locally debug: key lookup success, key exists checking package integrity... debug: found cached pkg: /tmp/pacman/pkg/zbar-0.23-1-x86_64.pkg.tar.xz debug: sig data: iQIzBAABCAAdFiEEtZcfLFwQqaCMYAMPeGxj8zDXy5IFAl1RS3oACgkQeGxj8zDXy5IibQ//Y7g2htcZbExZXieuYFxpNHEONjyEQeA1TVmXggCKSCwtK3WEwSDU67dBD6bcFRX2pevEk1yVMNhIpIGIisSyIenJssa+pzonwGVWr9crPW061F1AoxLw6gvMDl3FBVRlkqPyJWph85lhymV0sqLRZEbHSHqxiHSGz48QmazpRRt0vbKzXu27LYV84QcGRDb3GbDkHZm+ZByzW45SoTxD5ocTnha2HOGchf7cATTS0qDhnV7O4xuG4eI7NvsBG+xrLMS8gyuGfZYfMkB/ILmqQr8gzl4VGCBewH934rkrfH4V12/oD7UiK8GFgCQcvl8A011WDUSsD+1sCQX8wkI50c3D7EWhVVOGw52JMnG28NVN+qW8zvaJpZxMwzy5n6RpcJZz00FMXugc3FpQqFwQw0ods+FnQ4SDlPIDrPZWh0KklBEddqHMHohR3KEAAnmAfp/I09ynPAitUZwQ5LCAPLJ6GNljksOYrnK5WBYbCly+HLz2VdupYMjJap+5YAw8xKtg5QWyl+ZvPk3W0a2JRPioPgn/6cu6ofoClTlJsAF+SMfuMA1p2eef1/Q4bYGFPLOv85lUuVLj1rNh6PnBIlK7LrxecYBFw627xbY6oll+n3Ln0n8vSuTU7fC61vynWcchFkv5EOoKZt7sg3a+5HKLHvA9zEUlocOU3mn761Q= debug: checking signature for /tmp/pacman/pkg/zbar-0.23-1-x86_64.pkg.tar.xz debug: 1 signatures returned debug: fingerprint: 786C63F330D7CB92 debug: summary: red debug: status: Bad signature debug: timestamp: 0 debug: exp_timestamp: 0 debug: validity: unknown; reason: Success debug: key: B5971F2C5C10A9A08C60030F786C63F330D7CB92, Felix Yan <felixonmars@archlinux.org>, owner_trust unknown, disabled 0 debug: signature is not valid error: zbar: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid :: File /tmp/pacman/pkg/zbar-0.23-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package (PGP signature)) debug: unregistering database 'local' debug: freeing package cache for repository 'local' debug: unregistering database 'core' debug: freeing package cache for repository 'core' debug: unregistering database 'extra' debug: freeing package cache for repository 'extra' debug: unregistering database 'community' debug: unregistering database 'multilib' Errors occurred, no packages were upgraded. ``` This package corruption can be verified by comparing various checksums: ``` # Package from the ALA curl -L https://archive.archlinux.org/packages/z/zbar/zbar-0.23-1-x86_64.pkg.tar.xz -o archlinuxarchive.tar.xz # Package from the ALA's rsync source rsync -aLq rsync://polymorf.fr/archlinux/extra/os/x86_64/zbar-0.23-1-x86_64.pkg.tar.xz archlinuxarchive_rsync_source.tar.xz # Package from an arbitrary mirror (assuming the package hasn't since been updated) curl -L https://www.archlinux.org/packages/extra/x86_64/zbar/download/ -o mirror.tar.xz md5sum * ``` ``` c8cca6ce14029330e284d45394ee214b archlinuxarchive.tar.xz 191e640a7606c59aa5eb6f2aa38cbc9d archlinuxarchive_rsync_source.tar.xz 191e640a7606c59aa5eb6f2aa38cbc9d mirror.tar.xz ``` We see that the package in the archive is different (and has the same checksum as in the linked forum post above), despite the fact that is should be rsyncing the package from polymorf.fr, if my understanding of the [ALA source code](https://git.seblu.net/archlinux/archivetools/blob/master/archive.conf#L4) is correct. It seems the fix for this would be one of the following: - Fix the ALA source code so that the file is properly updated - Do a pkgrel bump (which isn't ideal since the corrupted 0.23-1 package would still be in the ALA, despite the fact that mirrors haven't had it for > 1 month) I've also uploaded the ALA-sourced package and mirror-sourced package for comparison in case mirrors are updated before this bug is review. |
This task depends upon
Closed by Florian Pritz (bluewind)
Friday, 18 October 2019, 18:18 GMT
Reason for closing: Fixed
Additional comments about closing: Remove and reuploaded. Checksum is the same as on the mirrors now. Thanks!
Friday, 18 October 2019, 18:18 GMT
Reason for closing: Fixed
Additional comments about closing: Remove and reuploaded. Checksum is the same as on the mirrors now. Thanks!
Comment by David (dlo9) -
Wednesday, 16 October 2019, 06:33 GMT
Apologies for the munged formatting. Apparently markdown doesn't
work like I expected, despite Flyspray docs to the contrary:
https://sourceforge.net/p/flyspray/wiki/markdown_syntax/#md_ex_code