Checksums that have changed #18044
Comments
|
What we know so far: libgit2/libgit2#4343 (comment) |
|
Either we hope that these sums don't change too often, bite the bullet this time and wait for the next. Or we disable SHA sums for all github tarballs, and start moving all formulas for which there exists an alternative hosting to that. We could also in theory start mirroring every github tarball, but that seems like a no-no to me (cf: Sisyphus). |
That will not actually help, unless we made the mirror the primary, because we don't fall through to a mirror on a checksum mismatch. |
|
Oh god. This is going to be actual hell.
Tossing any form of integrity verification out of the window seems like a drastic first step to take. Ideally, if anyone is extremely bored, projects need to get nagged to start doing actual release tarballs & have explained to them why this is important. |
I'm just going to assume @fxcoudert was being facetious. 🙉 |
|
😆 In my defence, with how busy this week is proving to be, if you tell me that you're actually a 🐐 I'd probably take it at face value for at least an hour or so before thinking "Wait a second". |
|
I am actually a 🐐. |
|
The team used to joke Xu was very possibly a non-malicious botnet because of how quickly high-quality solutions & ideas were churned out and implemented, so, rule nothing out I guess 🙈. |
Historically, they don't change that often, and certainly we (GitHub) don't plan to make gratuitous changes. We're discussing the possibility of providing byte-stable tarballs automatically (by cementing the archives, bugs and all, at the time a tag is uploaded). In the meantime, what can we do to help resolve the pain of this particular change? If you provided a list of archive URLs, would it be helpful to get back a list of the updated hash for each case? That would allow a mass-update of the homebrew formulas. |
|
We have 1498 URLs matching But from where I'm sitting, not all of them are returning hashes that differ from the stored values. For example, To do a mass update we need things to have stabilised. |
Unfortunately, the major concern is whether the underlying files have changed, which we can only know a) if we have access to the original tarballs to compare them to the new tarballs
The list is not fixed since I assume not all have been converted to the new format yet. |
@peff please, please, please.... That would be wonderful ❤️ |
|
Not all hashes will change. Most of the changes are due to the bugfix in git/git@22f0dcd, so only tarballs with filenames greater than 100 characters are affected. You're right that there may also be some caching in effect. We can flush those caches, which give us a stable state.
You can verify the change by running a version of Git both with and without that patch (i.e., which matches what's in #18048. A few caveats, though:
|
|
It looks like So this looks promising. |
|
For stable, I have verified all of the original checksums could be reconstructed except for
hh: dvorka/hstr#231 So far ssdb is the only upstream to acknowledge the retag.
So I have merged #18048 and reverted (in #18053) the updates for hh, ndpi, and openvdb pending responses from upstream, and will not revert the others since they're accounted for. On to devel next … |
|
The devel specs for freerdp and hub (irony, much?) needed to be fixed: I was able to reconstruct the original checksum for both. The remaining mismatches will likely be in resource blocks. |
|
Two checksums that were fine yesterday have gone bad today. I'm fixing them in #18072. povray: https://github.com/POV-Ray/povray/archive/v3.7.0.3.tar.gz |
Note that this just looked for changes due to the Git patch. I didn't look for retags, renames, etc, that would cause the formula hashes to be invalid. |
|
You lot are all amazing. Thanks for your fast and hard work to resolve this issue so quickly. |
|
brew install hh Error: SHA256 mismatch |
|
@ilyaskorik yes that is an actual retag, which I've reported upstream, as noted here: #18044 (comment) |
|
@ilovezfs But I can not install this program |
|
@ilyaskorik yes, you'll need to wait for upstream to respond to dvorka/hstr#231 or risk changing the checksum yourself. |
|
@peff Do you mind clarifying something?
With that in mind, why is the tagged 'release' https://github.com/airspy/host/archive/v1.0.9.tar.gz affected, the filename there is way shorter than 100 characters... Am I overlooking something? In the long run, what is the best alternative here to avoid being hit from possible future changes in the generated tarballs? |
@boegel The airspy/host hash was not affected by any change to the tarball-generating code. Its contents changed because the repository was renamed, and we use the canonical repository name as the tarball prefix. We provide an HTTP redirect from the old name, though you probably would want to update to the new URL along with the new hash. E.g.:
Right now, I think there are basically two options:
That's a bit of a brain dump on the subject. There may be other options that I haven't thought of, too. |
@peff is this still in the cards as a possibility? |
|
@ilovezfs Sorry, I don't have an update. It's not something I'd be working on personally, but my understanding is it's still being explored. |
|
@peff OK, thanks :) |
|
@peff Thanks for the extensive reply, much appreciated! |
|
@peff: Thanks from me for the detailed response, as well. I think ensuring byte-stable tarballs, either by saving them or using something like Debian's special tar arguments, is the way to go here. We were hit with this in Spack as well, and I'm having trouble deciding exactly how to resolve this, since it's ambiguous whether there are going to be any guarantees on tarballs in If you do not end up guaranteeing anything about
It would be good if you put a warning on the release page about the |
I have only checked the stable specs so far, but the checksums for the following tarballs have changed, and I expect more to change over the coming days:
airspy: https://github.com/airspy/host/archive/v1.0.9.tar.gz
algernon: https://github.com/xyproto/algernon/archive/1.5.1.tar.gz
amazon-ecs-cli: https://github.com/aws/amazon-ecs-cli/archive/v0.6.4.tar.gz
apache-brooklyn-cli: https://github.com/apache/brooklyn-client/archive/rel/apache-brooklyn-0.11.0.tar.gz
aptly: https://github.com/smira/aptly/archive/v1.1.1.tar.gz
arabica: https://github.com/jezhiggins/arabica/archive/2016-January.tar.gz
assh: https://github.com/moul/advanced-ssh-config/archive/v2.6.0.tar.gz
aws-apigateway-importer: https://github.com/awslabs/aws-apigateway-importer/archive/aws-apigateway-importer-1.0.1.tar.gz
aws-sdk-cpp: https://github.com/aws/aws-sdk-cpp/archive/1.1.50.tar.gz
azure-cli: https://github.com/Azure/azure-xplat-cli/archive/v0.10.15-July2017.tar.gz
bartycrouch: https://github.com/Flinesoft/BartyCrouch/archive/3.8.1.tar.gz
bazel@0.2: https://github.com/bazelbuild/bazel/archive/0.2.3.tar.gz
blink1: https://github.com/todbot/blink1/archive/v1.98.tar.gz
bluepill: https://github.com/linkedin/bluepill/archive/v1.1.2.tar.gz
c14-cli: https://github.com/online-net/c14-cli/archive/0.1.tar.gz
certbot: https://github.com/certbot/certbot/archive/v0.18.1.tar.gz
cjdns: https://github.com/cjdelisle/cjdns/archive/cjdns-v20.tar.gz
cli53: https://github.com/barnybug/cli53/archive/0.8.9.tar.gz
cocoapods: https://github.com/CocoaPods/CocoaPods/archive/1.3.1.tar.gz
codequery: https://github.com/ruben2020/codequery/archive/v0.21.0.tar.gz
convox: https://github.com/convox/rack/archive/20170818204318.tar.gz
cookiecutter: https://github.com/audreyr/cookiecutter/archive/1.5.1.tar.gz
cpprestsdk: https://github.com/Microsoft/cpprestsdk/archive/v2.9.1.tar.gz
deisctl: https://github.com/deis/deis/archive/v1.13.4.tar.gz
docker-machine-completion: https://github.com/docker/machine/archive/v0.12.2.tar.gz
docker-machine-driver-vultr: https://github.com/janeczku/docker-machine-vultr/archive/v1.4.0.tar.gz
docker-machine-parallels: https://github.com/Parallels/docker-machine-parallels/archive/v1.2.3.tar.gz
echoprint-codegen: https://github.com/echonest/echoprint-codegen/archive/v4.12.tar.gz
erlang: https://github.com/erlang/otp/archive/OTP-20.0.4.tar.gz
erlang@17: https://github.com/erlang/otp/archive/OTP-17.5.6.9.tar.gz
erlang@18: https://github.com/erlang/otp/archive/OTP-18.3.4.tar.gz
erlang@19: https://github.com/erlang/otp/archive/OTP-19.3.tar.gz
flow: https://github.com/facebook/flow/archive/v0.54.1.tar.gz
gearboy: https://github.com/drhelius/Gearboy/archive/gearboy-2.3.1.tar.gz
gearsystem: https://github.com/drhelius/Gearsystem/archive/gearsystem-2.2.tar.gz
git-lfs: https://github.com/git-lfs/git-lfs/archive/v2.2.1.tar.gz
git-town: https://github.com/Originate/git-town/archive/v4.2.1.tar.gz
giter8: https://github.com/foundweekends/giter8/archive/v0.9.0.tar.gz
glbinding: https://github.com/cginternals/glbinding/archive/v2.1.3.tar.gz
globjects: https://github.com/cginternals/globjects/archive/v1.0.0.tar.gz
gollum: https://github.com/trivago/gollum/archive/v0.4.5.tar.gz
gomplate: https://github.com/hairyhenderson/gomplate/archive/v2.0.1.tar.gz
google-java-format: https://github.com/google/google-java-format/archive/google-java-format-1.4.tar.gz
gosu: https://github.com/gosu-lang/gosu-lang/archive/v1.14.6.tar.gz
hh: https://github.com/dvorka/hstr/archive/1.22.tar.gz
hub: https://github.com/github/hub/archive/v2.2.9.tar.gz
ice: https://github.com/zeroc-ice/ice/archive/v3.7.0.tar.gz
io: https://github.com/stevedekorte/io/archive/2017.09.06.tar.gz
jmxtrans: https://github.com/jmxtrans/jmxtrans/archive/jmxtrans-parent-267.tar.gz
kompose: https://github.com/kubernetes/kompose/archive/v1.1.0.tar.gz
kops: https://github.com/kubernetes/kops/archive/1.7.0.tar.gz
kube-aws: https://github.com/kubernetes-incubator/kube-aws/archive/v0.9.8.tar.gz
kubernetes-cli@1.3: https://github.com/kubernetes/kubernetes/archive/v1.3.10.tar.gz
libgit2: https://github.com/libgit2/libgit2/archive/v0.26.0.tar.gz
liquigraph: https://github.com/fbiville/liquigraph/archive/liquigraph-3.0.1.tar.gz
logtalk: https://github.com/LogtalkDotOrg/logtalk3/archive/lgt3112stable.tar.gz
mame: https://github.com/mamedev/mame/archive/mame0189.tar.gz
metashell: https://github.com/metashell/metashell/archive/v3.0.0.tar.gz
minimesos: https://github.com/ContainerSolutions/minimesos/archive/0.13.0.tar.gz
mogenerator: https://github.com/rentzsch/mogenerator/archive/1.31.tar.gz
monax: https://github.com/monax/monax/archive/v0.18.0.tar.gz
mongoose: https://github.com/cesanta/mongoose/archive/6.8.tar.gz
nats-streaming-server: https://github.com/nats-io/nats-streaming-server/archive/v0.5.0.tar.gz
ndpi: https://github.com/ntop/nDPI/archive/2.0.tar.gz
opencv: https://github.com/opencv/opencv/archive/3.3.0.tar.gz
openvdb: https://github.com/dreamworksanimation/openvdb/archive/v4.0.2.tar.gz
pcap_dnsproxy: https://github.com/chengr28/Pcap_DNSProxy/archive/v0.4.9.0.tar.gz
ponscripter-sekai: https://github.com/sekaiproject/ponscripter-fork/archive/v0.0.6.tar.gz
prometheus: https://github.com/prometheus/prometheus/archive/v1.7.1.tar.gz
protobuf: https://github.com/google/protobuf/archive/v3.4.0.tar.gz
protobuf@3.1: https://github.com/google/protobuf/archive/v3.1.0.tar.gz
pumba: https://github.com/gaia-adm/pumba/archive/0.4.5.tar.gz
rclone: https://github.com/ncw/rclone/archive/v1.37.tar.gz
redex: https://github.com/facebook/redex/archive/v1.1.0.tar.gz
robot-framework: https://github.com/robotframework/robotframework/archive/3.0.2.tar.gz
rom-tools: https://github.com/mamedev/mame/archive/mame0189.tar.gz
sops: https://github.com/mozilla/sops/archive/2.0.10.tar.gz
ssdb: https://github.com/ideawu/ssdb/archive/1.9.4.tar.gz
swagger-codegen: https://github.com/swagger-api/swagger-codegen/archive/v2.2.3.tar.gz
swift: https://github.com/apple/swift/archive/swift-3.1.1-RELEASE.tar.gz
swiftformat: https://github.com/nicklockwood/SwiftFormat/archive/0.29.5.tar.gz
syncthing-inotify: https://github.com/syncthing/syncthing-inotify/archive/v0.8.7.tar.gz
taylor: https://github.com/yopeso/Taylor/archive/0.2.2.tar.gz
tbb: https://github.com/01org/tbb/archive/2017_U7.tar.gz
terraform: https://github.com/hashicorp/terraform/archive/v0.10.4.tar.gz
terragrunt: https://github.com/gruntwork-io/terragrunt/archive/v0.13.2.tar.gz
treefrog: https://github.com/treefrogframework/treefrog-framework/archive/v1.18.0.tar.gz
voldemort: https://github.com/voldemort/voldemort/archive/release-1.10.25-cutoff.tar.gz
voltdb: https://github.com/VoltDB/voltdb/archive/voltdb-6.9.tar.gz
wolfssl: https://github.com/wolfSSL/wolfssl/archive/v3.12.0-stable.tar.gz
wrangler: https://github.com/RefactoringTools/wrangler/archive/wrangler1.2.tar.gz
xctool: https://github.com/facebook/xctool/archive/0.3.3.tar.gz
yaml-cpp: https://github.com/jbeder/yaml-cpp/archive/release-0.5.3.tar.gz
zorba: https://github.com/28msec/zorba/archive/3.1.tar.gz
CC @DomT4 this makes the patch ordeal look like nothing.
The text was updated successfully, but these errors were encountered: