Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 233516

Summary: dev-libs/glib-2.16.3 digest verification failed proven with multiple mirrors
Product: Gentoo Linux Reporter: Juan Luis <Skirmitch>
Component: [OLD] UnspecifiedAssignee: Mirror Admins <mirror-admin>
Status: RESOLVED WORKSFORME    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Juan Luis 2008-07-31 19:03:12 UTC 
Calculating dependencies... done!
>>> Verifying ebuild Manifests...

>>> Emerging (1 of 1) dev-libs/glib-2.16.3 to /
!!! Previously fetched file: 'glib-2.16.3.tar.bz2'
!!! Reason: Failed on RMD160 verification
!!! Got:      d2654b4a506ddb8f6d3e7da149b651a3de2f698c
!!! Expected: 72260f5f9022ee3f97b79b5705ad6117adc279fd
Refetching... File renamed to '/usr/portage/distfiles/glib-2.16.3.tar.bz2._chec sum_failure_.6cZ23N'

>>> Downloading 'http://mirrors.cs.wmich.edu/gentoo/distfiles/glib-2.16.3.tar.b 2'
--2008-07-31 18:00:09--  http://mirrors.cs.wmich.edu/gentoo/distfiles/glib-2.16 3.tar.bz2
Resolving mirrors.cs.wmich.edu... 141.218.143.20
Connecting to mirrors.cs.wmich.edu|141.218.143.20|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4540919 (4.3M) [application/x-tar]
Saving to: `/usr/portage/distfiles/glib-2.16.3.tar.bz2'

100%[======================================>] 4,540,919    274K/s   in 31s

2008-07-31 18:00:40 (144 KB/s) - `/usr/portage/distfiles/glib-2.16.3.tar.bz2' s ved [4540919/4540919]

 * checking ebuild checksums ;-) ...                                      [ ok
 * checking auxfile checksums ;-) ...                                     [ ok
 * checking miscfile checksums ;-) ...                                    [ ok
 * checking glib-2.16.3.tar.bz2 ;-) ...                                   [ !!

!!! Digest verification failed:
!!! /usr/portage/distfiles/glib-2.16.3.tar.bz2
!!! Reason: Failed on RMD160 verification
!!! Got: d2654b4a506ddb8f6d3e7da149b651a3de2f698c
!!! Expected: 72260f5f9022ee3f97b79b5705ad6117adc279fd
freaky glib #

 In /etc/make.conf i commented the lines for mirrors issues such as SYNC and the other one for packages fetching. Tryed also uncomenting these lines gettin as sync mirror and packages fetchin mirror the Brasilian Mirror gettin the same result, tryed for 3 days, deleted the ebuild, then "sync-ing" again to replace the ebuild and the same problem, if i use emerge glib, it tryes to fetch dev-libs/glib-2.16.3-r1 so tryed to force-emerge the ebuild dev-libs/glib-2.16.3 .ebuild and got the same problem. This is the second time i get the same problem: when i was installing the system i got the same with a sys logger (dont remember wich one, but the recommended on the Gentoo Handbook, but i solved it just picking an other logger.



Reproducible: Always

Steps to Reproduce:
1.emerge sync 
2.emerge glib

Actual Results:  
i got the error that i pasted on "description"

Expected Results:  
merged the package and check it succefull

tryed it with "gnome" USE flag and "-gnome" USE flag as well, my actuall system uses "-gnome", i found the problem when i unmasked "monodevelop" with all its dependences, then tryed to emerge glib alone and got the same problem several times, tryed it without any service or program running, i use xorg-server + enlightenment desktop enviroment, tryed runnin X and without X running, changing mirrors and using the default mirror (when you dont have a mirror especified on make.conf)

 The main idea of unblocking monodevelop is to test it so it can be unmasked, so i think is a serious bug.
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2008-07-31 19:27:14 UTC 
*** Bug 233518 has been marked as a duplicate of this bug. ***
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2008-07-31 19:40:40 UTC 
Just merging an ebuild when the hash doesn't match isn't really careful. Especially in these days of unsafe dns servers. A malicious attack aside, this may just be a mirror issue, which seems to be likely, given that the Michigan Univerity mirror isn't even reachable for me. The expected hash is correct.
Comment 3 Jouni Kosonen 2008-07-31 20:00:40 UTC 
Just FYI:
Fetching the file from http://mirrors.cs.wmich.edu/gentoo/distfiles/glib-2.16.3.tar.bz2 worked here, and the resultant file was identical to the one fetched about a month ago up to the timestamp, 2008-04-10 04:24:08 UTC.

Both files have the expected RIPEMD160 hash:

/tmp $ openssl dgst -rmd160 /usr/portage/distfiles/glib-2.16.3.tar.bz2 /tmp/glib-2.16.3.tar.bz2 
RIPEMD160(/usr/portage/distfiles/glib-2.16.3.tar.bz2)= 72260f5f9022ee3f97b79b5705ad6117adc279fd
RIPEMD160(/tmp/glib-2.16.3.tar.bz2)= 72260f5f9022ee3f97b79b5705ad6117adc279fd

To me it would seem that either
1) the problem was in the mirror and has now been corrected
or 
2) the hash calculation routine was broken by something in the monodevelop dependencies
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-08-01 17:33:30 UTC 
Can you still reproduce, and, can you tell us from what mirror do you sync?
Comment 5 Juan Luis 2008-08-12 19:19:17 UTC 
(In reply to comment #4)
> Can you still reproduce, and, can you tell us from what mirror do you sync?
> 

 Tomorrow i'll try to reproduce it but i replaced the mirrors for working ones, the sync info is easy: sync'ed with every single sync mirror i know.