brew install --build-from-source unison fails with hash mismatch

[BlinkyStitt]

brew install --build-from-source unison
==> Downloading http://www.seas.upenn.edu/~bcpierce/unison//download/releases/unison-2.40.102/unison-2.40.102.tar.gz
######################################################################## 100.0%
Error: SHA1 mismatch
Expected: bf18f64fa30bd04234e864d42190294e0d9a2910
Actual: 5165a1c61a4f323ed0639e8fb891cfa86eb1d463
Archive: /Library/Caches/Homebrew/unison-2.40.102.tar.gz
To retry an incomplete download, remove the file above.

If I change the formula to use 5165a1c61a4f323ed0639e8fb891cfa86eb1d463 then I get a different error:

brew install --build-from-source unison
==> Downloading http://www.seas.upenn.edu/~bcpierce/unison//download/releases/unison-2.40.102/unison-2.40.102.tar.gz
Already downloaded: /Library/Caches/Homebrew/unison-2.40.102.tar.gz
==> Patching
patching file ubase/util.ml
Hunk #1 FAILED at 62.
1 out of 1 hunk FAILED -- saving rejects to file ubase/util.ml.rej
Error: Failure while executing: /usr/bin/patch -g 0 -f -p1

Luckily I had the old tar.gz with bf18f64fa30bd04234e864d42190294e0d9a2910 on another system so I am using that for now

[DomT4]

I'm not super-sure why we're using such an old version, to be honest. The current stable version is 2.48.3, which MacPorts is shipping. Draw up a PR to fix this, if you like.

But indeed, the upstream SHA seems to have changed. Can replicate that locally. Hopefully it's just a stealth update rather than anything else, although it may be worth checking upstream.

[tdsmith]

2.48 was promoted from a dev branch to a stable branch sometime in the last few weeks. I've applied to join their -users mailing list to ask what's up.

[jacknagel]

2.48.x was pulled.

[nilnvoid]

This issue is not resolved yet?

brew install --build-from-source unison
==> Downloading http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.48.3.t
######################################################################## 100.0%
Error: SHA1 mismatch
Expected: 74f1c087ee49dc1db4680ad779280f7333d5c968
Actual: 2a0cfc95e95b9e9457c39faa4fe5b8184023cd0c
Archive: /Library/Caches/Homebrew/unison-2.48.3.tar.gz
To retry an incomplete download, remove the file above.

[DomT4]

It was. The upstream checksum has actually changed here. Someone needs to report it to them and make sure nobody's changed things nefariously.

[DomT4]

Issue persists. Upstream mailing lists require membership, and are pretty dead regardless. Not sure quite where to push the SHA failure at this point.

[nilnvoid]

Any update on this?

[MikeMcQuaid]

@LotusWeb No. Please contact Unison and see if they were hacked or if they changed this package on purpose.

[nilnvoid]

This is the answer from group:
https://groups.yahoo.com/neo/groups/unison-users/conversations/messages/11539

[DomT4]

Should be safe to tee up a PR to change the old SHA1 to the new SHA256 then, if you like.

[matthewlmcclure]

I posted a request for the expected SHA1 hash of unison-2.48.3.tar.gz to the unison-hackers list. Presumably my message will appear at http://lists.seas.upenn.edu/pipermail/unison-hackers/2015-June/thread.html when that index gets updated.

[matthewlmcclure]

Just to close the loop, the Unison maintainers confirmed the SHA256 hash at http://lists.seas.upenn.edu/pipermail/unison-hackers/2015-June/001835.html