Skip to content


md5 changed for older ruby versions? #259

ijin opened this Issue · 22 comments

I experienced issues building older versions of ruby (2.0.0-p247 seems to be fine) using ruby-build due to conflicting md5 checksums. I wonder if this is related to the outage?


ruby 2.0.0-p247 expected md5: c351450a0bed670e0f5ca07da3458a5b
ruby 2.0.0-p195 expected md5: 0672e5af309ae99d1703d0e96eff8ea5
ruby 2.0.0-p0 expected md5: 50d307c4dc9297ae59952527be4e755d


$ md5 ruby-2.0.0-p247.tar.gz
MD5 (ruby-2.0.0-p247.tar.gz) = c351450a0bed670e0f5ca07da3458a5b

$ md5 ruby-2.0.0-p195.tar.gz
MD5 (ruby-2.0.0-p195.tar.gz) = a13b554eedb3a59a8c462a054b8722df

$ md5 ruby-2.0.0-p0.tar.gz
MD5 (ruby-2.0.0-p0.tar.gz) = 45ee176c1c93bc2383cf2a41b6959e43

Other versions might be affected as well.


cc @hsbt

I can confirm that the md5/sha256 of a freshly downloaded ruby-2.0.0-p195.tar.gz deviate from the expected hashes published in the release notes (the size is correct, though).

@hsbt hsbt was assigned

@ijin Thanks for your reports. we are starting to investigate it.


Hm, is it possible that this recent commit to ruby-build caused this?

@amk-boCO amk-boCO referenced this issue in rbenv/ruby-build

404 on rbenv install #390


@colszowka This is a real data corruption (you cannot expand those MD5-distinct tar.gz files) so not a ruby-build issue I believe. Sorry for your inconvenience. We are trying to recover.


@shyouhei No worries, I was just wondering whether maybe the checksums differ between ftp/http protocol for some reason and this hasn't been noticed prior to ruby-build switching protocols as I'm not sure how this is handled at Fingers crossed you get this resolved without too much trouble!


This has nothing to do with ruby-build.

It seems very strange and potentially very bad. :confused:


Are the builds hosted anywhere else that we may be able to point to in the interim?


@ronwsmith Someone on twitter mentioned - Not sure if the checksums are alright there though ( Edit: At least for 2.0.0-p195 the md5sum is correct there )

@sferik Didn't mean to put blame on ruby-build, my initial thought just was that this might be related considering it was a recent change and the OP mentioned ruby-build. I thought maybe the ftp/http checksums are for some reason different, but considering these are official packages, that does not make sense. Strange indeed.


@ronwsmith 37signals maintains an Amazon CloudFront mirror at It is not the most up-to-date mirror but you can try requesting packages by their MD5 checksum. For example, Ruby 1.9.3p374 is mirrored at


Thanks @colszowka and @sferik! For anyone else looking, you need to change the URL in ~/.rbenv/plugins/ruby-build/share/ruby-build. If you don't have a plugins directory, go clone ruby-build into it and you'll be good to go.


It's unclear: Do we think's tarballs have been compromised? Is there a better thread than this one to be watching?


@ronwsmith If you installed ruby-build via Homebrew on OS X, the directory is /usr/local/Cellar/ruby-build/20130628/share/ruby-build/ assuming you've kept Homebrew installed packages up to date.


@tsaleh There was a hardware issue (first reported around 00:45 UTC) that caused downloads from to fail over HTTP (but not over FTP). After the hardware issue was resolved and FTP service was restored, @ijin noticed that the MD5 checksums for some Ruby versions didn’t match the checksums in the release notes and opened this issue. As a precaution, the FTP server was voluntarily taken offline until we can understand why the the checksums don’t match and can guarantee that downloads from are safe.

Periodic updates are being posted here.

If you decide to download Ruby from one of these mirrors, please be vigilant and verify the MD5 checksums of any files you download match MD5 checksum in the release notes for that version. Obviously, you should also verify that the release notes are from a trusted source. We have no reason to believe that was compromised (it runs on different hardware than but it’s worth double-checking the release notes against the oldest version you can find on, just to be safe.


Is there any work around for rvm to install successfully?


@sferik Thanks for your supplementary comments.

We are restoring from other mirrors and confirming these checksums.


Is there any estimated time for being ready to go again?


As for rvm, it looks like there is an rvm tools mirror command which configures rvm to use Worked for me, but it might be a good idea to check the hashes. For me, checking ~/.rvm/archives, the file matched the changelog:

$ shasum -a 256 ruby-1.8.7-p374.tar.bz2
b4e34703137f7bfb8761c4ea474f7438d6ccf440b3d35f39cc5e4d4e239c07e3  ruby-1.8.7-p374.tar.bz2

It seems like FTP/HTTP is back up on for now.


@ijin is resumed now. I appreciated your report.

@hsbt hsbt closed this

@hsbt :+1: Great job!


@hsbt thanks!


@hsbt thanks so much for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.