Summary: | upstream tarball for graphviz 1.12 has changed size, and no longer matches the digest | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | ted.reed |
Component: | Current packages | Assignee: | Gentoo Graphics Project <graphics+disabled> |
Status: | RESOLVED WORKSFORME | ||
Severity: | critical | CC: | abusch, graphics+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
ted.reed
2004-09-18 23:08:23 UTC
I checked - the tarball contents are identical. Assuming its just a different gzip compression option on it. I still have the old tarball on my local mirror so I'm not going to fix this just yet. Identical as in same filenames? Or did you check the md5sums one by one? 100KB more seems a little odd to me. It reminds me of the time some server or another was compromised and backdoor code was injected into the xchat source. The problem is that graphviz doesn't increase their verion number for subversions. They have a release tag on their rpm source, but even this is outdated -1. On the mailinglists you can read that they're talking about 1.12 (v7) and 1.12 (v11), but I couldn't find any hint inside the source code, except that its 800K bigger now and using a newer automake/conf/lisp and so on. There are also newer versions up to 1.17 but some input/output is incompatible with 1.12, so be careful. I think it would be best to update the gentoo mirrors once and comment out the original SRC_URI with a remark to subversions. Instead use the gentoo mirrors release. So does that mean that the configure.ac patch that the 1.12 ebuild uses isn't needed anymore? (Sorry 100k not 800k) About the ebuild with the newer original archive: More precisely it doesn't work anymore using the configure patch. Also remove rm, aclocal, autoconf and automake lines. The build fix is still ok. Note that you'll have to delete the digest file, otherwise the download will resume on a mirror site, since the newer original archive is a little bit smaller. It compiles, installs and works well, at least on x86 with TCLTK installed. But I guess, now we have the same problem as before for machines not having tcl/tk as there is no explicit configure option for that. Not a security problem. Reassigning to package maintainers... Alright, someone really needs to convince them to use micro version numbers in their tarballs. This is causing an annoying amount of trouble. After dancing through the digest and mirror stuff, and editing the ebuild by hand, I *think* I've got it working. (It's still compiling.) Pain in the ass though. Just did a emerge -f =graphviz-1.12 and got no complaints. Please reopen if this is still an issue. |