md5 changed for older ruby versions? #259

Closed
ijin opened this Issue Aug 6, 2013 · 22 comments

Projects

None yet
@ijin
ijin commented Aug 6, 2013

I experienced issues building older versions of ruby (2.0.0-p247 seems to be fine) using ruby-build due to conflicting md5 checksums. I wonder if this is related to the ruby-lang.org outage?

Expected:

ruby 2.0.0-p247 expected md5: c351450a0bed670e0f5ca07da3458a5b
ruby 2.0.0-p195 expected md5: 0672e5af309ae99d1703d0e96eff8ea5
ruby 2.0.0-p0 expected md5: 50d307c4dc9297ae59952527be4e755d

Actual:

$ md5 ruby-2.0.0-p247.tar.gz
MD5 (ruby-2.0.0-p247.tar.gz) = c351450a0bed670e0f5ca07da3458a5b

$ md5 ruby-2.0.0-p195.tar.gz
MD5 (ruby-2.0.0-p195.tar.gz) = a13b554eedb3a59a8c462a054b8722df

$ md5 ruby-2.0.0-p0.tar.gz
MD5 (ruby-2.0.0-p0.tar.gz) = 45ee176c1c93bc2383cf2a41b6959e43

Other versions might be affected as well.

@stomar
Member
stomar commented Aug 6, 2013

cc @hsbt

I can confirm that the md5/sha256 of a freshly downloaded ruby-2.0.0-p195.tar.gz deviate from the expected hashes published in the release notes (the size is correct, though).

@hsbt hsbt was assigned Aug 6, 2013
@hsbt
Member
hsbt commented Aug 6, 2013

@ijin Thanks for your reports. we are starting to investigate it.

@colszowka
Contributor

Hm, is it possible that this recent commit to ruby-build caused this?

@amk-boCO amk-boCO referenced this issue in rbenv/ruby-build Aug 6, 2013
Closed

404 on rbenv install #390

@shyouhei
Member
shyouhei commented Aug 6, 2013

@colszowka This is a real data corruption (you cannot expand those MD5-distinct tar.gz files) so not a ruby-build issue I believe. Sorry for your inconvenience. We are trying to recover.

@colszowka
Contributor

@shyouhei No worries, I was just wondering whether maybe the checksums differ between ftp/http protocol for some reason and this hasn't been noticed prior to ruby-build switching protocols as I'm not sure how this is handled at ftp.ruby-lang.org. Fingers crossed you get this resolved without too much trouble!

@sferik
sferik commented Aug 6, 2013

This has nothing to do with ruby-build.

It seems very strange and potentially very bad. 😕

@ronwsmith

Are the builds hosted anywhere else that we may be able to point to in the interim?

@colszowka
Contributor

@ronwsmith Someone on twitter mentioned http://mirrorservice.org/sites/ftp.ruby-lang.org/pub/ruby/ - Not sure if the checksums are alright there though ( Edit: At least for 2.0.0-p195 the md5sum is correct there )

@sferik Didn't mean to put blame on ruby-build, my initial thought just was that this might be related considering it was a recent change and the OP mentioned ruby-build. I thought maybe the ftp/http checksums are for some reason different, but considering these are official packages, that does not make sense. Strange indeed.

@sferik
sferik commented Aug 6, 2013

@ronwsmith 37signals maintains an Amazon CloudFront mirror at http://dqw8nmjcqpjn7.cloudfront.net/. It is not the most up-to-date mirror but you can try requesting packages by their MD5 checksum. For example, Ruby 1.9.3p374 is mirrored at http://dqw8nmjcqpjn7.cloudfront.net/90b6c327abcdf30a954c2d6ae44da2a9.

@ronwsmith

Thanks @colszowka and @sferik! For anyone else looking, you need to change the URL in ~/.rbenv/plugins/ruby-build/share/ruby-build. If you don't have a plugins directory, go clone ruby-build into it and you'll be good to go.

@tsaleh
tsaleh commented Aug 6, 2013

It's unclear: Do we think ruby-lang.org's tarballs have been compromised? Is there a better thread than this one to be watching?

@AnInanimateCarbonRod

@ronwsmith If you installed ruby-build via Homebrew on OS X, the directory is /usr/local/Cellar/ruby-build/20130628/share/ruby-build/ assuming you've kept Homebrew installed packages up to date.

@sferik
sferik commented Aug 6, 2013

@tsaleh There was a hardware issue (first reported around 00:45 UTC) that caused downloads from ftp.ruby-lang.org to fail over HTTP (but not over FTP). After the hardware issue was resolved and FTP service was restored, @ijin noticed that the MD5 checksums for some Ruby versions didn’t match the checksums in the release notes and opened this issue. As a precaution, the FTP server was voluntarily taken offline until we can understand why the the checksums don’t match and can guarantee that downloads from ftp.ruby-lang.org are safe.

Periodic updates are being posted here.

If you decide to download Ruby from one of these mirrors, please be vigilant and verify the MD5 checksums of any files you download match MD5 checksum in the release notes for that version. Obviously, you should also verify that the release notes are from a trusted source. We have no reason to believe that www.ruby-lang.org was compromised (it runs on different hardware than ftp.ruby-lang.org) but it’s worth double-checking the release notes against the oldest version you can find on archive.org, just to be safe.

@aniruddh
aniruddh commented Aug 7, 2013

Is there any work around for rvm to install successfully?

@hsbt
Member
hsbt commented Aug 7, 2013

@sferik Thanks for your supplementary comments.

We are restoring from other mirrors and confirming these checksums.

@kclamunyon

Is there any estimated time for being ready to go again?

@mpontillo

As for rvm, it looks like there is an rvm tools mirror command which configures rvm to use mirrorservice.org. Worked for me, but it might be a good idea to check the hashes. For me, checking ~/.rvm/archives, the file matched the changelog:

$ shasum -a 256 ruby-1.8.7-p374.tar.bz2
b4e34703137f7bfb8761c4ea474f7438d6ccf440b3d35f39cc5e4d4e239c07e3  ruby-1.8.7-p374.tar.bz2
@buntine
buntine commented Aug 7, 2013

It seems like FTP/HTTP is back up on ruby-lang.org for now.

@hsbt
Member
hsbt commented Aug 7, 2013

@ijin ftp.ruby-lang.org is resumed now. I appreciated your report.

@hsbt hsbt closed this Aug 7, 2013
@shyouhei
Member
shyouhei commented Aug 7, 2013

@hsbt 👍 Great job!

@ijin
ijin commented Aug 7, 2013

@hsbt thanks!

@amk-boCO
amk-boCO commented Aug 7, 2013

@hsbt thanks so much for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment