exiv2 0.26 checksum mismatch

[ilovezfs]

URL: http://www.exiv2.org/builds/exiv2-0.26-trunk.tar.gz

Expected SHA-256: 0c625cbeb494aa1b9221280a5b053b54d0c9720d48fa9120cef7c6f93efd4dc3

Actual SHA-256:
c75e3c4a0811bf700d92c82319373b7a825a2331c12b8b37d41eb58e4f18eafb

The expected checksum is what what we had in Homebrew for the SHA-256 when the formula was upgraded to 0.26 on Fri May 19 15:49:32 2017 -0400. See Homebrew/homebrew-core#13736.

But currently downloading the file yields a different checksum.

I wanted to make sure you weren't hacked, and ask what the reason(s) for the changes were.

[clanmills]

This was discussed yesterday on Redmine: http://dev.exiv2.org/issues/1299

I assure you that the build has not been compromised. The tar.gz has been regenerated twice and the checksum published on our downloads page was updated. No code changes have been made to the modified tar.gz files.

After being released in April, I was asked in May by the project founder to make documentation changes. In July, an issue with the packaging was discovered. #14 MacOS-X was writing hidden files which caused a build failure and the release .tar.gz was regenerated without code changes.

Although I have been contributing to Exiv2 for 10 years, this the first time that I have been the release engineer. In future, I will only repackage the release in a "dot" release (even when there are no code changes).

I apologise for the inconvenience that this has caused.

[ilovezfs]

@clanmills Thanks for your quick response! I will go ahead and update the checksum in Homebrew.

In future, I will only repackage the release in a "dot" release (even when there are no code changes).

Perfect.

[ilovezfs]

The tar.gz has been regenerated twice and the checksum published on our downloads page was updated.

@clanmills I notice the checksums posted are MD5. It would be good to post SHA-256 (or better) instead of MD5, which is no longer considered secure.

[clanmills]

The scripts which build the release use md5sum. I don't feel that changing this is a high priority, however I hope to review this when we release Exiv2 v0.26.1 in September.

[clanmills]

I've update the website release scripts and templates to use sha256sum in future. This will "go live" with Exiv2 v0.26.1 which is scheduled for September 2017.

We use md5sum in our test suite to occasionally compare files. There are no security implications from this and I am not going to change that.

[ilovezfs]

@clanmills excellent! Thanks a lot :)