608462 – sys-fs/e2fsprogs-1.43.4 - sourceforge and kernel.org mirrors host different e2fsprogs-1.43.4.tar.gz files

Bug 608462 - sys-fs/e2fsprogs-1.43.4 - sourceforge and kernel.org mirrors host different e2fsprogs-1.43.4.tar.gz files

Summary: sys-fs/e2fsprogs-1.43.4 - sourceforge and kernel.org mirrors host different e...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2017-02-06 17:05 UTC by eroen
Modified:	2020-07-04 14:02 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/16584
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description eroen 2017-02-06 17:05:55 UTC

>>> Fetching (1 of 1) sys-fs/e2fsprogs-1.43.4::gentoo
>>> Downloading 'http://download.sourceforge.net/e2fsprogs/e2fsprogs-1.43.4.tar.gz'
--2017-02-06 16:49:28--  http://download.sourceforge.net/e2fsprogs/e2fsprogs-1.43.4.tar.gz
Resolving download.sourceforge.net (download.sourceforge.net)... 216.34.181.59
Connecting to download.sourceforge.net (download.sourceforge.net)|216.34.181.59|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://downloads.sourceforge.net/project/e2fsprogs/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz [following]
--2017-02-06 16:49:28--  http://downloads.sourceforge.net/project/e2fsprogs/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz
Resolving downloads.sourceforge.net (downloads.sourceforge.net)... 216.34.181.59
Connecting to downloads.sourceforge.net (downloads.sourceforge.net)|216.34.181.59|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://netassist.dl.sourceforge.net/project/e2fsprogs/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz [following]
--2017-02-06 16:49:29--  https://netassist.dl.sourceforge.net/project/e2fsprogs/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz
Resolving netassist.dl.sourceforge.net (netassist.dl.sourceforge.net)... 62.205.134.42, 2a01:d0:0:37::2
Connecting to netassist.dl.sourceforge.net (netassist.dl.sourceforge.net)|62.205.134.42|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7552516 (7.2M) [application/x-gzip]
Saving to: '/var/distfiles/e2fsprogs-1.43.4.tar.gz'

/var/distfiles/e2fsprogs-1.4 100%[===========================================>]   7.20M   284KB/s    in 47s     

2017-02-06 16:50:49 (156 KB/s) - '/var/distfiles/e2fsprogs-1.43.4.tar.gz' saved [7552516/7552516]

!!! Fetched file: e2fsprogs-1.43.4.tar.gz VERIFY FAILED!
!!! Reason: Failed on SHA256 verification
!!! Got:      a648a90a513f1b25113c7f981af978b8a19f832b3a32bd10707af3ff682ba66d
!!! Expected: 1644db4fc58300c363ba1ab688cf9ca1e46157323aee1029f8255889be4bc856
Refetching... File renamed to '/var/distfiles/e2fsprogs-1.43.4.tar.gz._checksum_failure_.x0_bumg2'

>>> Downloading 'http://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz'
--2017-02-06 16:50:49--  http://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz
Resolving www.kernel.org (www.kernel.org)... 149.20.4.69, 199.204.44.194, 198.145.20.140, ...
Connecting to www.kernel.org (www.kernel.org)|149.20.4.69|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz [following]
--2017-02-06 16:50:50--  https://www.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v1.43.4/e2fsprogs-1.43.4.tar.gz
Connecting to www.kernel.org (www.kernel.org)|149.20.4.69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7552516 (7.2M) [application/x-gzip]
Saving to: '/var/distfiles/e2fsprogs-1.43.4.tar.gz'

/var/distfiles/e2fsprogs-1.4 100%[===========================================>]   7.20M   637KB/s    in 12s     

2017-02-06 16:51:03 (596 KB/s) - '/var/distfiles/e2fsprogs-1.43.4.tar.gz' saved [7552516/7552516]

 * e2fsprogs-1.43.4.tar.gz SHA256 SHA512 WHIRLPOOL size ;-) ...                                           [ ok ]


eroen@occam /var/distfiles $ diff -urN <(xxd e2fsprogs-1.43.4.tar.gz) <(xxd e2fsprogs-1.43.4.tar.gz._checksum_failure_.x0_bumg2 )
--- /dev/fd/63	2017-02-06 17:48:10.010271074 +0100
+++ /dev/fd/62	2017-02-06 17:48:10.010271074 +0100
@@ -1,4 +1,4 @@
-00000000: 1f8b 0800 0446 9158 0203 ec5b 6973 1b49  .....F.X...[is.I
+00000000: 1f8b 0800 d640 9158 0203 ec5b 6973 1b49  .....@.X...[is.I
 00000010: 72d5 e7fa 1515 5a47 885c 0320 7110 94e4  r.....ZG.\. q...
 00000020: 58db 1449 69b8 2625 8548 edf8 1ba3 d05d  X..Ii.&%.H.....]
 00000030: 007a d807 a6ab 9b14 e6d7 fb65 6655 77e3  .z.........efUw.


So, the difference between the files is only the gzip header timestamp, but it is somewhat worrying that different files are hosted for a release, and the sourceforge file doesn't match our Manifest.

Comment 1 Francesco Turco 2017-02-06 20:18:05 UTC

I can confirm this problem. Even changing Sourceforge mirror doesn't fix it.

Comment 2 Hank Leininger 2017-02-10 15:24:11 UTC

Also/still happened to me.  I concur with the others' analysis that the only difference (at the moment?) is in the header timestamp which is Mostly Harmless.

So, currently nobody can build e2fsprogs if they happen to fetch from the sourceforge mirror.

Can we temporarily modify the ebuild to use only one of mirror://sourceforge/ and mirror://kernel/, and use the corresponding values in Manifest?

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-10-17 08:15:27 UTC

Is this still true for later release versions? 1.43.4 is already gone from our repositories.

Comment 4 Francesco Turco 2017-10-20 20:37:00 UTC

I checked gz-compressed versions 1.43.{3,5,6} from kernel.org and sourceforge.net (University of Kent mirror). Their SHA-1 checksum still don't match unfortunately.

Comment 5 Francesco Turco 2017-10-20 20:38:43 UTC

from kernel.org:

986a908c3350207e6ecdba5e2e390b1cf4625900  e2fsprogs-1.43.3.tar.gz
a421e5240a03655e80cc68613c2eb0b5a23a042e  e2fsprogs-1.43.5.tar.gz
ad133c90382790279dcc61a19e477a2f0955720b  e2fsprogs-1.43.6.tar.gz

from sourceforge.net:

927cb79c6399c559a83b4fa528ec8912a82d122f  e2fsprogs-1.43.3.tar.gz
dcf98fcb96f8a57c7083d54caee6af050f0025cf  e2fsprogs-1.43.5.tar.gz
104e846948c4b7011b348262be2960e376bfc823  e2fsprogs-1.43.6.tar.gz

Comment 6 Larry the Git Cow gentoo-dev

2020-07-04 14:02:31 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4916c08894dd0bf5988bde2f8f8af5192b91782

commit d4916c08894dd0bf5988bde2f8f8af5192b91782
Author:     Francesco Turco <mail@fturco.net>
AuthorDate: 2020-07-04 13:28:47 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-07-04 13:59:38 +0000

    sys-fs/e2fsprogs: remove sourceforge mirror from SRC_URI
    
    Signed-off-by: Francesco Turco <mail@fturco.net>
    Closes: https://bugs.gentoo.org/608462
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16584

 sys-fs/e2fsprogs/e2fsprogs-1.45.5.ebuild | 3 +--
 sys-fs/e2fsprogs/e2fsprogs-1.45.6.ebuild | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4c947bf6dba9fdddbb8a41a1c5f9615ff8060b4

commit c4c947bf6dba9fdddbb8a41a1c5f9615ff8060b4
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2020-07-04 14:01:58 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2020-07-04 14:01:58 +0000

    sys-libs/e2fsprogs-libs: drop sourceforge mirror
    
    Bug: https://bugs.gentoo.org/608462
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-libs/e2fsprogs-libs/e2fsprogs-libs-1.45.5.ebuild | 3 +--
 sys-libs/e2fsprogs-libs/e2fsprogs-libs-1.45.6.ebuild | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)