Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 583082

Summary: mirror.yandex.ru digest verification problems for chromium-51.0.2704.36
Product: Mirrors Reporter: Alexander Sergeyev <sergeev917>
Component: Server ProblemAssignee: Mirror Admins <mirror-admin>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: part of emerge log

Description Alexander Sergeyev 2016-05-15 09:49:07 UTC 
Created attachment 434326 [details]
part of emerge log

I've received a digest verification failure for chromium source package which was fetched from mirror.yandex.ru (the error is present on both http and ftp resources):

!!! Fetched file: chromium-51.0.2704.36.tar.xz VERIFY FAILED!
!!! Reason: Failed on SHA256 verification
!!! Got:      8ad79c62b9561e5acbb132870dd6c3774b8ca29e08c25acee5f23322258d40f9
!!! Expected: 3573249343c4dc19b5d56c51a6986c4742ba7f62c0c60fea14e2ff146c92d753

A source tarball from the official url (https://commondatastorage.googleapis.com/chromium-browser-official/chromium-51.0.2704.36.tar.xz) passed the digest verification. And since the last goes over https, it gives little bit more confidence that the problem is on the mirror side.

Given that mirror.yandex.ru operates on unprotected protocols (i.e. no https), I checked the problem presence from three different servers across city and the sha256 is the same (= bad).

The related part of emerge log is attached.
Could you investigate the problem?
Comment 1 Alexander Sergeyev 2016-05-15 09:54:18 UTC 
Actually, when I tried to get diff between source trees, I got an archive corruption message for the "bad" tarball:
xz: (stdin): Compressed data is corrupt

So, the situation is less about security and more about (probably) a disk storage failure. But this is still a problem for the mirror.
Comment 2 Joe Kappus 2016-06-11 20:14:07 UTC 
Mirror verification failure confirmed here as well. Same sha256sum result.

Yandex mirror not best mirror.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-06-17 11:54:24 UTC 

*** This bug has been marked as a duplicate of bug 581924 ***