dev-util/byacc/byacc-20210808.ebuild has invalid hash (and size) in Manifest From page https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-util/byacc/Manifest > DIST byacc-20210808.tgz 895366 $ curl -sI https://invisible-mirror.net/archives/byacc/byacc-20210808.tgz | grep -i "^content-length: content-length: 891489 895366 != 891489 thus hash must be invalid as well. This of course leads to build error. So either invisible-mirror.net has been corrupted, or author has changed package (bug fix?) after releas or there has been mistake while adding ebuild. Or maybe something else?
I dug some more, and it does seem that there has been a change on invisible-mirror.net, just don't know whether that is an attack or author changed file after release. I've found that file on external mirror $ curl -sI https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz| grep -i "^content-length: " Content-Length: 895366 $ curl -s https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz| sha512sum fcc6acde33259fa854d4d2cffdd22a70b81deda86b5cfe5c6b5e49a1148fef1de4efc888bd3739ebbb98885690faae91b13a4a184df90f8e94524b7e4cf8d3b6 sha512 from gentoo portage tree: fcc6acde33259fa854d4d2cffdd22a70b81deda86b5cfe5c6b5e49a1148fef1de4efc888bd3739ebbb98885690faae91b13a4a184df90f8e94524b7e4cf8d3b6 So they do match.
!!! Fetched file: byacc-20210808.tgz VERIFY FAILED! !!! Reason: Filesize does not match recorded size !!! Got: 891489 !!! Expected: 895366
I got (In reply to mlyszczek from comment #1) > I dug some more, and it does seem that there has been a change on > invisible-mirror.net, just don't know whether that is an attack or author > changed file after release. > > I've found that file on external mirror > > $ curl -sI https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz| > grep -i "^content-length: " > Content-Length: 895366 > > $ curl -s https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz| > sha512sum > fcc6acde33259fa854d4d2cffdd22a70b81deda86b5cfe5c6b5e49a1148fef1de4efc888bd373 > 9ebbb98885690faae91b13a4a184df90f8e94524b7e4cf8d3b6 > > sha512 from gentoo portage tree: > fcc6acde33259fa854d4d2cffdd22a70b81deda86b5cfe5c6b5e49a1148fef1de4efc888bd373 > 9ebbb98885690faae91b13a4a184df90f8e94524b7e4cf8d3b6 > > So they do match. I downloaded and compared the contents of the following versions of byacc-20210808: 1) [www] version seemingly used to make current portage ebuild (https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz) 2) [portage] version available at the maintainer's website (https://invisible-mirror.net/archives/byacc/byacc-20210808.tgz) 3) [github] t20210808 branch code at the maintainer's GitHub (https://github.com/ThomasDickey/byacc-snapshots/tree/t20210808) And this are the results I got: - [www] and [portage] differ only in one file: parser.y which is included in [portage] and absent from [www] - [portage] and [github] differ in parser.y (which is absent from [github] and included in [portage]), CHANGES, and MANIFEST - [www] and [github] differ only in CHANGES and MANIFEST. - Additionally, I scanned [portage]'s code for literal references to parser.y and found none. Hence, I think that the cached version of the source file (https://fra.de.distfiles.macports.org/byacc/byacc-20210808.tgz) should be safe to use (unless someone discovers the presence of parser.y affects in some way the code's execution), until the ebuild gets updated.
The file is present on gentoo mirrors. If you are getting fetch failures, you probably have an invalid setting for GENTOO_MIRRORS configured in make.conf.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb60b0a61dcd06261ff95635796763d675b8029d commit bb60b0a61dcd06261ff95635796763d675b8029d Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-11-08 02:44:11 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-11-08 02:44:11 +0000 dev-util/byacc: update Manifest Closes: https://bugs.gentoo.org/820167 Signed-off-by: Mike Gilbert <floppym@gentoo.org> dev-util/byacc/Manifest | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
*** Bug 822402 has been marked as a duplicate of this bug. ***
*** Bug 825090 has been marked as a duplicate of this bug. ***
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73fa675629b4649d694a167b0df8ce3e2f2cce6e commit 73fa675629b4649d694a167b0df8ce3e2f2cce6e Author: Sam James <sam@gentoo.org> AuthorDate: 2021-11-20 06:52:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-20 06:52:55 +0000 dev-util/byacc: update SRC_URI (use upstream FTP) Hopefully this is the end of it. Fetched directly, I get the same checksum as the one we originally added. Closes: https://bugs.gentoo.org/825090 Closes: https://bugs.gentoo.org/820167 Signed-off-by: Sam James <sam@gentoo.org> dev-util/byacc/byacc-20210808.ebuild | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)