https://blogs.gentoo.org/ago/2020/07/04/gentoo-tinderbox/ Issue: net-p2p/p2pool-2.3 fetches file(s) that do not match recorded size. Discovered on: amd64 (internal ref: guru_ci) NOTE: While the resolution of this bug may be trivial I'd like to suggest to pay attention at WHY and if it is the case of a tarball fraudulently replaced (hacked mirror).
Created attachment 804436 [details] build.log build log and emerge --info
Error(s) that match a know pattern: * Fetch failed for 'net-p2p/p2pool-2.3', Log file: !!! Reason: Filesize does not match recorded size
It could be an MITM or something by github.com. It was still matching the hashes in the manifest, no? Unless the attacker can find BLAKE2B hash collisions I am not worried. In any case, I have removed these ebuilds, but if this happens again please warn me.
Hello Adam, I see "pkgdev push" is complaining about some Manifest issue for net-p2p/p2pool, it looks like there is one entry too much, the archive "p2pool-2.6-libzmq.tar.gz". There is also some other QA Warnings, running "pkgcheck scan -- net-p2p/p2pool": 1) UnknownManifest: unknown distfile in Manifest: [ p2pool-2.6-libzmq.tar.gz ] As already raised above, you simply need to run "pkgdev manifest -- net-p2p/p2pool" to fix it. 2) MissingRemoteId: missing remote-id of type 'github' with value 'SChernykh/curl' (inferred from URI 'https://github.com/SChernykh/curl/archive/cd95ee9f771361acf241629d2fe5507e308082a2.tar.gz') For this, can you provide a metadata.xml with such content please? ``` <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> <maintainer type="person"> <email>adam.pimentel@protonmail.com</email> <name>Adam Pimentel</name> </maintainer> <stabilize-allarches/> <upstream> <remote-id type="github">SChernykh/p2pool</remote-id> </upstream> </pkgmetadata> ``` 3) ExcessiveLineLength: version 2.6-r1: excessive line length (over 120 characters) on lines: 25, 38, 45 Well, easy, just trim some lines please ;-) Just in case, here some help for contribution: https://wiki.gentoo.org/wiki/Project:GURU/Information_for_Contributors#Committing Note: I could have pushed those modifications, but I prefer to let the ownership to you.
(In reply to Adam from comment #3) > It could be an MITM or something by github.com. It was still matching the > hashes in the manifest, no? Unless the attacker can find BLAKE2B hash > collisions I am not worried. > > In any case, I have removed these ebuilds, but if this happens again please > warn me. Github commit snapshots are not guaranteed to be reproducible. This can happen again in the future. You can try to replace them with archives from releases or tags where available. I will assign the bug to you so you can close it, but please read comment 4 and consider adding yourself as a maintainer. Thanks!
Interesting. It seems that I cannot update the manifest because github.com is blocking curl (but not wget) for some reason. Changing my IP fixes it. Seems like it is some type of rate-limiting thing.
(In reply to Thibaud CANALE from comment #4) > Hello Adam, > > I see "pkgdev push" is complaining about some Manifest issue for > net-p2p/p2pool, it looks like there is one entry too much, the archive > "p2pool-2.6-libzmq.tar.gz". > > There is also some other QA Warnings, running "pkgcheck scan -- > net-p2p/p2pool": > > 1) UnknownManifest: unknown distfile in Manifest: [ p2pool-2.6-libzmq.tar.gz > ] > > As already raised above, you simply need to run "pkgdev manifest -- > net-p2p/p2pool" to fix it. > > 2) MissingRemoteId: missing remote-id of type 'github' with value > 'SChernykh/curl' (inferred from URI > 'https://github.com/SChernykh/curl/archive/ > cd95ee9f771361acf241629d2fe5507e308082a2.tar.gz') > > For this, can you provide a metadata.xml with such content please? > ``` > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> > <pkgmetadata> > <maintainer type="person"> > <email>adam.pimentel@protonmail.com</email> > <name>Adam Pimentel</name> > </maintainer> > <stabilize-allarches/> > <upstream> > <remote-id type="github">SChernykh/p2pool</remote-id> > </upstream> > </pkgmetadata> > ``` > > 3) ExcessiveLineLength: version 2.6-r1: excessive line length (over 120 > characters) on lines: 25, 38, 45 > > Well, easy, just trim some lines please ;-) > > Just in case, here some help for contribution: > https://wiki.gentoo.org/wiki/Project:GURU/ > Information_for_Contributors#Committing > > Note: I could have pushed those modifications, but I prefer to let the > ownership to you. I've pushed these changes, thank you.
