I experienced issues building older versions of ruby (2.0.0-p247 seems to be fine) using ruby-build due to conflicting md5 checksums. I wonder if this is related to the ruby-lang.org outage?
ruby 2.0.0-p247 expected md5: c351450a0bed670e0f5ca07da3458a5b
ruby 2.0.0-p195 expected md5: 0672e5af309ae99d1703d0e96eff8ea5
ruby 2.0.0-p0 expected md5: 50d307c4dc9297ae59952527be4e755d
$ md5 ruby-2.0.0-p247.tar.gz
MD5 (ruby-2.0.0-p247.tar.gz) = c351450a0bed670e0f5ca07da3458a5b
$ md5 ruby-2.0.0-p195.tar.gz
MD5 (ruby-2.0.0-p195.tar.gz) = a13b554eedb3a59a8c462a054b8722df
$ md5 ruby-2.0.0-p0.tar.gz
MD5 (ruby-2.0.0-p0.tar.gz) = 45ee176c1c93bc2383cf2a41b6959e43
Other versions might be affected as well.
I can confirm that the md5/sha256 of a freshly downloaded ruby-2.0.0-p195.tar.gz deviate from the expected hashes published in the release notes (the size is correct, though).
@ijin Thanks for your reports. we are starting to investigate it.
Hm, is it possible that this recent commit to ruby-build caused this?
@colszowka This is a real data corruption (you cannot expand those MD5-distinct tar.gz files) so not a ruby-build issue I believe. Sorry for your inconvenience. We are trying to recover.
@shyouhei No worries, I was just wondering whether maybe the checksums differ between ftp/http protocol for some reason and this hasn't been noticed prior to ruby-build switching protocols as I'm not sure how this is handled at ftp.ruby-lang.org. Fingers crossed you get this resolved without too much trouble!
This has nothing to do with ruby-build.
It seems very strange and potentially very bad. 😕
Are the builds hosted anywhere else that we may be able to point to in the interim?
@ronwsmith Someone on twitter mentioned http://mirrorservice.org/sites/ftp.ruby-lang.org/pub/ruby/ - Not sure if the checksums are alright there though ( Edit: At least for 2.0.0-p195 the md5sum is correct there )
@sferik Didn't mean to put blame on ruby-build, my initial thought just was that this might be related considering it was a recent change and the OP mentioned ruby-build. I thought maybe the ftp/http checksums are for some reason different, but considering these are official packages, that does not make sense. Strange indeed.
@ronwsmith 37signals maintains an Amazon CloudFront mirror at http://dqw8nmjcqpjn7.cloudfront.net/. It is not the most up-to-date mirror but you can try requesting packages by their MD5 checksum. For example, Ruby 1.9.3p374 is mirrored at http://dqw8nmjcqpjn7.cloudfront.net/90b6c327abcdf30a954c2d6ae44da2a9.
Thanks @colszowka and @sferik! For anyone else looking, you need to change the URL in ~/.rbenv/plugins/ruby-build/share/ruby-build. If you don't have a plugins directory, go clone ruby-build into it and you'll be good to go.
It's unclear: Do we think ruby-lang.org's tarballs have been compromised? Is there a better thread than this one to be watching?
@ronwsmith If you installed ruby-build via Homebrew on OS X, the directory is /usr/local/Cellar/ruby-build/20130628/share/ruby-build/ assuming you've kept Homebrew installed packages up to date.
@tsaleh There was a hardware issue (first reported around 00:45 UTC) that caused downloads from ftp.ruby-lang.org to fail over HTTP (but not over FTP). After the hardware issue was resolved and FTP service was restored, @ijin noticed that the MD5 checksums for some Ruby versions didn’t match the checksums in the release notes and opened this issue. As a precaution, the FTP server was voluntarily taken offline until we can understand why the the checksums don’t match and can guarantee that downloads from ftp.ruby-lang.org are safe.
Periodic updates are being posted here.
Is there any work around for rvm to install successfully?
@sferik Thanks for your supplementary comments.
We are restoring from other mirrors and confirming these checksums.
Is there any estimated time for being ready to go again?
As for rvm, it looks like there is an rvm tools mirror command which configures rvm to use mirrorservice.org. Worked for me, but it might be a good idea to check the hashes. For me, checking ~/.rvm/archives, the file matched the changelog:
rvm tools mirror
$ shasum -a 256 ruby-1.8.7-p374.tar.bz2
It seems like FTP/HTTP is back up on ruby-lang.org for now.
@ijin ftp.ruby-lang.org is resumed now. I appreciated your report.
@hsbt 👍 Great job!
@hsbt thanks so much for the quick response!