Nodejs 15: ICU 68.1 tarball doesn't match provided md5sum #36776

sgallagher · 2021-01-04T15:11:10Z

Version: 15.5.0
Platform: All (tarball contents)
Subsystem: Build

What steps will reproduce the bug?

Download ICU 68.1 from https://github.com/unicode-org/icu/releases/download/release-68-1/icu4c-68_1-src.tgz as specified in https://github.com/nodejs/node/blob/v15.5.0/tools/icu/current_ver.dep
Run md5sum icu4c-68_1-src.tgz
Compare md5 from current_ver.dep to the results of the md5sum

Actual result: 6a99b541ea01f271257b121a4433c7c0 icu4c-68_1-src.tgz doesn't match fd03b2d916dcadd3711b4c4a100a1713

How often does it reproduce? Is there a required condition?

Reproduces successfully every time.

What is the expected behavior?

The md5sums need to match.

What do you see instead?

The md5sums differ, which means the tarball cannot be considered trusted.

Additional information

Someone needs to audit the ICU tarball and determine where the difference occurred.

The text was updated successfully, but these errors were encountered:

richardlau · 2021-01-04T15:49:19Z

Looks like it might be a copy/paste error. https://github.com/unicode-org/icu/releases/download/release-68-1/icu-68_1-src.md5 lists:

6a99b541ea01f271257b121a4433c7c0  icu4c-68_1-src.tgz
fd03b2d916dcadd3711b4c4a100a1713  icu4c-68_1-src.zip

so it looks like the hash is for the zip version of the source. I've raised #36777 to correct.

Fixes: nodejs#36776

sgallagher · 2021-01-04T15:52:28Z

Thanks! I have a script I use to assist with updating Node.js in Fedora and it choked while trying to verify the ICU integrity.

Correct md5sum hash for the tarball version of the ICU 68.1 source. The previously recorded md5sum hash was for the zip version. PR-URL: #36777 Fixes: #36776 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Beth Griggs <bgriggs@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>

richardlau mentioned this issue Jan 4, 2021

tools: fix md5 hash for ICU 68.1 src #36777

Closed

4 tasks

targos added a commit to targos/node that referenced this issue Jan 4, 2021

tools: correct MD5 of ICU 68.1 tarball

9d8ae11

Fixes: nodejs#36776

targos mentioned this issue Jan 4, 2021

tools: correct MD5 of ICU 68.1 tarball #36778

Closed

targos added the icu Issues and PRs related to the ICU dependency. label Jan 4, 2021

Trott closed this as completed in fcf6226 Jan 6, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Nodejs 15: ICU 68.1 tarball doesn't match provided md5sum #36776

Nodejs 15: ICU 68.1 tarball doesn't match provided md5sum #36776

sgallagher commented Jan 4, 2021

richardlau commented Jan 4, 2021

sgallagher commented Jan 4, 2021

Nodejs 15: ICU 68.1 tarball doesn't match provided md5sum #36776

Nodejs 15: ICU 68.1 tarball doesn't match provided md5sum #36776

Comments

sgallagher commented Jan 4, 2021

What steps will reproduce the bug?

How often does it reproduce? Is there a required condition?

What is the expected behavior?

What do you see instead?

Additional information

richardlau commented Jan 4, 2021

sgallagher commented Jan 4, 2021