According to the digest: MD5 84910caae072c714d107ca9f3e54ace0 graphviz-1.12.tar.gz 3371279 According to wget: [23:13:13] [ben:~] $ wget http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-1.12.tar.gz --23:13:16-- http://www.graphviz.org/pub/graphviz/ARCHIVE/graphviz-1.12.tar.gz => `graphviz-1.12.tar.gz' Resolving www.graphviz.org... 192.20.225.20 Connecting to www.graphviz.org[192.20.225.20]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3,348,808 [application/x-gzip] 100%[====================================>] 3,348,808 331.92K/s ETA 00:00 23:13:25 (368.12 KB/s) - `graphviz-1.12.tar.gz' saved [3348808/3348808] Is there something weird going on here? I'm assuming that the file size difference is why the fetch keeps failing even though the download comes through fine. Reproducible: Always Steps to Reproduce: Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.8-gentoo-r3) ================================================================= System uname: 2.6.8-gentoo-r3 i686 AMD Athlon(tm) XP 2600+ Gentoo Base System version 1.5.3 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -mcpu=i686 -march=athlon-xp -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control"CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -march=athlon-xp -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowex X acl acpi aim alsa apm audiofile avi berkdb bidi bitmap-fonts bonobo bzlib cdparanoia cdr cjk crypt cups curl doc dvd dvdread encode ethereal evo exif fam flac flash foomaticdb ftp gdbm gif gnome gnutls gphoto2 gpm gstreamer gtk2 gtkhtml iconv icq imap imlib jabber java jikes joystick jpeg libg++ libgda libwww mad maildir matroska mbox mikmod mime ming mmap mmx motif mozilla mpeg ncurses network nls nocd offensive oggvorbis openal opengl oscar pam pda pdflib perl pic png python quicktime readline ruby samba sdl sharedmem slang sockets speex spell ssl svg svga tcpd theora tiff truetype unicode usb videos x86 xml2 xprint xv xvid zlib"
I checked - the tarball contents are identical. Assuming its just a different gzip compression option on it. I still have the old tarball on my local mirror so I'm not going to fix this just yet.
Identical as in same filenames? Or did you check the md5sums one by one? 100KB more seems a little odd to me. It reminds me of the time some server or another was compromised and backdoor code was injected into the xchat source.
The problem is that graphviz doesn't increase their verion number for subversions. They have a release tag on their rpm source, but even this is outdated -1. On the mailinglists you can read that they're talking about 1.12 (v7) and 1.12 (v11), but I couldn't find any hint inside the source code, except that its 800K bigger now and using a newer automake/conf/lisp and so on. There are also newer versions up to 1.17 but some input/output is incompatible with 1.12, so be careful. I think it would be best to update the gentoo mirrors once and comment out the original SRC_URI with a remark to subversions. Instead use the gentoo mirrors release.
So does that mean that the configure.ac patch that the 1.12 ebuild uses isn't needed anymore?
(Sorry 100k not 800k) About the ebuild with the newer original archive: More precisely it doesn't work anymore using the configure patch. Also remove rm, aclocal, autoconf and automake lines. The build fix is still ok. Note that you'll have to delete the digest file, otherwise the download will resume on a mirror site, since the newer original archive is a little bit smaller. It compiles, installs and works well, at least on x86 with TCLTK installed. But I guess, now we have the same problem as before for machines not having tcl/tk as there is no explicit configure option for that.
Not a security problem. Reassigning to package maintainers...
Alright, someone really needs to convince them to use micro version numbers in their tarballs. This is causing an annoying amount of trouble. After dancing through the digest and mirror stuff, and editing the ebuild by hand, I *think* I've got it working. (It's still compiling.) Pain in the ass though.
Just did a emerge -f =graphviz-1.12 and got no complaints. Please reopen if this is still an issue.