Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


md5 changed for older ruby versions? #259

ijin opened this Issue · 22 comments

14 participants

Michael H. Oshita Marcus Stollsteimer SHIBATA Hiroshi Christoph Olszowka Urabe, Shyouhei Erik Michaels-Ober ronwsmith Tammer Saleh Ryan Morrison aniruddh kclamunyon Mike Pontillo Andrew Buntine Andreas M. Kavountzis
Michael H. Oshita

I experienced issues building older versions of ruby (2.0.0-p247 seems to be fine) using ruby-build due to conflicting md5 checksums. I wonder if this is related to the outage?


ruby 2.0.0-p247 expected md5: c351450a0bed670e0f5ca07da3458a5b
ruby 2.0.0-p195 expected md5: 0672e5af309ae99d1703d0e96eff8ea5
ruby 2.0.0-p0 expected md5: 50d307c4dc9297ae59952527be4e755d


$ md5 ruby-2.0.0-p247.tar.gz
MD5 (ruby-2.0.0-p247.tar.gz) = c351450a0bed670e0f5ca07da3458a5b

$ md5 ruby-2.0.0-p195.tar.gz
MD5 (ruby-2.0.0-p195.tar.gz) = a13b554eedb3a59a8c462a054b8722df

$ md5 ruby-2.0.0-p0.tar.gz
MD5 (ruby-2.0.0-p0.tar.gz) = 45ee176c1c93bc2383cf2a41b6959e43

Other versions might be affected as well.

Marcus Stollsteimer

cc @hsbt

I can confirm that the md5/sha256 of a freshly downloaded ruby-2.0.0-p195.tar.gz deviate from the expected hashes published in the release notes (the size is correct, though).

SHIBATA Hiroshi hsbt was assigned

@ijin Thanks for your reports. we are starting to investigate it.

Christoph Olszowka

Hm, is it possible that this recent commit to ruby-build caused this?

Andreas M. Kavountzis amk-boCO referenced this issue in sstephenson/ruby-build

404 on rbenv install #390

Urabe, Shyouhei

@colszowka This is a real data corruption (you cannot expand those MD5-distinct tar.gz files) so not a ruby-build issue I believe. Sorry for your inconvenience. We are trying to recover.

Christoph Olszowka

@shyouhei No worries, I was just wondering whether maybe the checksums differ between ftp/http protocol for some reason and this hasn't been noticed prior to ruby-build switching protocols as I'm not sure how this is handled at Fingers crossed you get this resolved without too much trouble!

Erik Michaels-Ober

This has nothing to do with ruby-build.

It seems very strange and potentially very bad. :confused:


Are the builds hosted anywhere else that we may be able to point to in the interim?

Christoph Olszowka

@ronwsmith Someone on twitter mentioned - Not sure if the checksums are alright there though ( Edit: At least for 2.0.0-p195 the md5sum is correct there )

@sferik Didn't mean to put blame on ruby-build, my initial thought just was that this might be related considering it was a recent change and the OP mentioned ruby-build. I thought maybe the ftp/http checksums are for some reason different, but considering these are official packages, that does not make sense. Strange indeed.

Erik Michaels-Ober

@ronwsmith 37signals maintains an Amazon CloudFront mirror at It is not the most up-to-date mirror but you can try requesting packages by their MD5 checksum. For example, Ruby 1.9.3p374 is mirrored at


Thanks @colszowka and @sferik! For anyone else looking, you need to change the URL in ~/.rbenv/plugins/ruby-build/share/ruby-build. If you don't have a plugins directory, go clone ruby-build into it and you'll be good to go.

Tammer Saleh

It's unclear: Do we think's tarballs have been compromised? Is there a better thread than this one to be watching?

Ryan Morrison

@ronwsmith If you installed ruby-build via Homebrew on OS X, the directory is /usr/local/Cellar/ruby-build/20130628/share/ruby-build/ assuming you've kept Homebrew installed packages up to date.

Erik Michaels-Ober

@tsaleh There was a hardware issue (first reported around 00:45 UTC) that caused downloads from to fail over HTTP (but not over FTP). After the hardware issue was resolved and FTP service was restored, @ijin noticed that the MD5 checksums for some Ruby versions didn’t match the checksums in the release notes and opened this issue. As a precaution, the FTP server was voluntarily taken offline until we can understand why the the checksums don’t match and can guarantee that downloads from are safe.

Periodic updates are being posted here.

If you decide to download Ruby from one of these mirrors, please be vigilant and verify the MD5 checksums of any files you download match MD5 checksum in the release notes for that version. Obviously, you should also verify that the release notes are from a trusted source. We have no reason to believe that was compromised (it runs on different hardware than but it’s worth double-checking the release notes against the oldest version you can find on, just to be safe.


Is there any work around for rvm to install successfully?


@sferik Thanks for your supplementary comments.

We are restoring from other mirrors and confirming these checksums.


Is there any estimated time for being ready to go again?

Mike Pontillo

As for rvm, it looks like there is an rvm tools mirror command which configures rvm to use Worked for me, but it might be a good idea to check the hashes. For me, checking ~/.rvm/archives, the file matched the changelog:

$ shasum -a 256 ruby-1.8.7-p374.tar.bz2
b4e34703137f7bfb8761c4ea474f7438d6ccf440b3d35f39cc5e4d4e239c07e3  ruby-1.8.7-p374.tar.bz2
Andrew Buntine

It seems like FTP/HTTP is back up on for now.


@ijin is resumed now. I appreciated your report.

SHIBATA Hiroshi hsbt closed this
Urabe, Shyouhei

@hsbt :+1: Great job!

Michael H. Oshita

@hsbt thanks!

Andreas M. Kavountzis

@hsbt thanks so much for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.