01:17:28 (124.07 KB/s) - `/usr/portage/distfiles/openssh-lpk-4.4p1-0.3.7.patch' saved [61187/61187] ('Filesize does not match recorded size', 61187L, 61158) !!! Fetched file: openssh-lpk-4.4p1-0.3.7.patch VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 61187 !!! Expected: 61158 Removing corrupt distfile... !!! Couldn't download 'openssh-lpk-4.4p1-0.3.7.patch'. Aborting. !!! Fetch for /usr/portage/net-misc/openssh/openssh-4.4_p1-r1.ebuild failed, continuing...
I had the same error, but I had a lot of updates to do so I just did: emerge openssh --digest to get by the bad digest. So, I can confirm this bug. Cheers
I don't want to build a security tool from unsecured source. Please fix this.
USE="-ldap" emerge openssh works, of course. Just to detail the error.
(In reply to comment #2) > I don't want to build a security tool from unsecured source. Please fix this. thank you for your useless input
(In reply to comment #4) > thank you for your useless input It's a fair point, SpanKY: 1) The filesize and checksum(s) don't match; 2) The SRC_URI for the patch changed from previous ebuilds (from opendarwin.org to inversepath.com); 3) There are no Gentoo mirror copies of the patch to compare against. For something as important as SSH, I'm certainly not going to just blindly regenerate the digest for a patch file (from a third party!) without knowing what changed and why. (Attn: QA Team.) A little OT but relevant, the Gentoo Development Guide on patches has the right idea but should be strengthened. The only "trusted" sources of patches are the Portage tree (for small patches), or the Gentoo Mirrors (for large patches) - third party sites should not be used directly.
> It's a fair point, SpanKY: that's why there is a bug opened ... filing a bug and turning around to ask for it to be fixed is stupid ... that's why the bug was and is opened > 2) The SRC_URI for the patch changed from previous ebuilds (from > opendarwin.org to inversepath.com); if you followed ldap at all, you'd know this is on purpose ... apple is killing opendarwin as for 1/3, the guy who actually wrote the ldap patch is a Gentoo dev ... he probably just missed something when handling the patch update
The digest looks fine to me. Size matches. Please remove the patch from distfiles, resync and refetch.
I just resynced, and I'm getting the same problem: ('Filesize does not match recorded size', 61187, 61158) !!! Fetched file: openssh-lpk-4.4p1-0.3.7.patch VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 61187 !!! Expected: 61158 Removing corrupt distfile... !!! Couldn't download 'openssh-lpk-4.4p1-0.3.7.patch'. Aborting. I tried downloading the patch with Firefox, and it is 61187 bytes long, but the Manifest and digest list the file as 61158 bytes long.
Fixed now. Wait and re-synch. Sorry for this (blame me and my silly cvs which messed up merging).
Marking as verified/fixed. Should be closed, imho. Regarding comment#4: I was trying to reply to comment#1 - people should better do emerge --resume --skipfirst if their emerge world is stopped at this specific package instead of just ignoring integrity checks. Though there are many other packages that could be misused to bring trojans/backdoors to the Gentoo community, this is one of the packages that I definitely don't want to be hijacked. Imagine Microsoft advertisements... :-( If the portage code is checking filesize *and* checksums, regardless of size mismatch, and then complains about *all* errors found - ie. the checksums *would* have been correct in this case - then it would be much less alarming. If that is the case - I still didn't check this out - then You're totally right. "--skipfirst" didn't come to my mind when I wrote comment#2 - that would have added some better sense in that comment. Anyhow: I'm sorry to bore or annoy You, SpanKY. Don't let this bring You down!