[Bug]: Release artifacts for openvoxdb 8.9.1 have been overwritten #31
Description
Is this a critical security issue?
- This is not a security issue.
Describe the Bug
The FreeBSD ports are build from the tar.gz artifact of openvoxdb, which is available at this address:
https://artifacts.voxpupuli.org/openvoxdb/8.9.1/openvoxdb-8.9.1.tar.gz
I have been working on FreeBSD ports for the openvox stack for some time, so I downloaded this artifact "a long time ago" (I don't know exactly when), and it is kept cached locally to avoid re-downloading again and again the same file. The FreeBSD ports ensure dowloaded files integrity by comparing the sha265 checksum of the distfile with the expected checksum in a distinfo file.
Yesterday, I pushed my WIP ports to the FreeBSD ports tree. This automatically trigger the build of packages. But today I received an e-mail form the build service telling me the openvoxdb8-8.9.1 and openvoxdb-terminus8-8.9.1 could not be built because the distfile was changed:
https://pkg-status.freebsd.org/beefy21/data/142i386-default/fc1a825d9035/logs/openvoxdb8-8.9.1.log
https://pkg-status.freebsd.org/beefy21/data/142i386-default/fc1a825d9035/logs/openvoxdb-terminus8-8.9.1.log
I re-downloaded the new distfile (to distfiles/openvoxdb-8.9.1.tar.gz) and compared it with the one I downloaded previously (/usr/ports/distfiles/openvoxdb-8.9.1.tar.gz):
$ ll /usr/ports/distfiles/openvoxdb-8.9.1.tar.gz distfiles/openvoxdb-8.9.1.tar.gz
-rw-r--r-- 1 root romain 61667810 19 mars 11:25 /usr/ports/distfiles/openvoxdb-8.9.1.tar.gz
-rw-r--r-- 1 romain romain 61674414 19 juil. 01:41 distfiles/openvoxdb-8.9.1.tar.gz
$ sha256 /usr/ports/distfiles/openvoxdb-8.9.1.tar.gz distfiles/openvoxdb-8.9.1.tar.gz
SHA256 (/usr/ports/distfiles/openvoxdb-8.9.1.tar.gz) = ac4b2ad8de6b95edb2a53d8c85421cd3aa1daafff3499b986a822b68b4186355
SHA256 (distfiles/openvoxdb-8.9.1.tar.gz) = f89190ea331e60ab62bb69f53b5af1aa19350c78aa9ffade89f3dbc7e0aabcbb
$ diff -u <(tar ztf /usr/ports/distfiles/openvoxdb-8.9.1.tar.gz | sort) <(tar ztf distfiles/openvoxdb-8.9.1.tar.gz | sort)
--- /tmp/zshafvl84 2025-07-20 08:13:10.256990000 -1000
+++ /tmp/zshjdLsVc 2025-07-20 08:13:10.497468000 -1000
@@ -9,11 +9,7 @@
puppetdb-8.9.1/ext/cli/anonymize
puppetdb-8.9.1/ext/cli/config-migration
puppetdb-8.9.1/ext/cli/delete-reports
-puppetdb-8.9.1/ext/cli/foreground
-puppetdb-8.9.1/ext/cli/reload
puppetdb-8.9.1/ext/cli/ssl-setup
-puppetdb-8.9.1/ext/cli/start
-puppetdb-8.9.1/ext/cli/stop
puppetdb-8.9.1/ext/cli/upgrade
puppetdb-8.9.1/ext/config/
puppetdb-8.9.1/ext/config/bootstrap.cfg
@@ -31,7 +27,6 @@
puppetdb-8.9.1/ext/debian/preinst
puppetdb-8.9.1/ext/debian/prerm
puppetdb-8.9.1/ext/debian/puppetdb.default_file
-puppetdb-8.9.1/ext/debian/puppetdb.init_script
puppetdb-8.9.1/ext/debian/puppetdb.service_file
puppetdb-8.9.1/ext/default
puppetdb-8.9.1/ext/docs/
@@ -156,13 +151,8 @@
puppetdb-8.9.1/ext/ezbake.manifest
puppetdb-8.9.1/ext/fpm.rb
puppetdb-8.9.1/ext/project_data.yaml
-puppetdb-8.9.1/ext/puppetdb.logrotate-legacy.conf
puppetdb-8.9.1/ext/puppetdb.logrotate.conf
-puppetdb-8.9.1/ext/puppetdb.needrestart.conf
-puppetdb-8.9.1/ext/puppetdb.tmpfiles.conf
puppetdb-8.9.1/ext/redhat/
-puppetdb-8.9.1/ext/redhat/init
-puppetdb-8.9.1/ext/redhat/init.suse
puppetdb-8.9.1/ext/redhat/postinst
puppetdb-8.9.1/ext/redhat/postrm
puppetdb-8.9.1/ext/redhat/preinst
@@ -170,7 +160,6 @@
puppetdb-8.9.1/ext/redhat/puppetdb.service
puppetdb-8.9.1/Gemfile
puppetdb-8.9.1/install.sh
-puppetdb-8.9.1/Makefile
puppetdb-8.9.1/puppet/
puppetdb-8.9.1/puppet/face/
puppetdb-8.9.1/puppet/face/node/As you can see, the date of the "original" distfile is the date of when the 8.9.1 tag was created, while the "new" one is from yesterday.
These changes seems to be related to OpenVoxProject/ezbake#5 which was merged in may.
In short, we happen to unexpectedly re-generate this distfile and upload it, overwriting the previous file.
Expected Behavior
Distfiles shall never be replaced.