Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214879 - sys-apps/portage-2.1.4.4 doesn't verify checksums after redownloading a broken file with FEATURES=-strict
Summary: sys-apps/portage-2.1.4.4 doesn't verify checksums after redownloading a broke...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Ebuild Support (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: InVCS
Depends on:
Blocks: 216231
  Show dependency tree
 
Reported: 2008-03-26 13:55 UTC by Petteri Räty (RETIRED)
Modified: 2008-04-04 22:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petteri Räty (RETIRED) gentoo-dev 2008-03-26 13:55:26 UTC
pena activesupport # devebuild activesupport-2.0.2.ebuild clean unpack
!!! Previously fetched file: 'activesupport-2.0.2.gem'
!!! Reason: Failed on RMD160 verification
!!! Got:      2b70cf3eb6740121f793c2b9116c74f06c6b08da
!!! Expected: 2b1d7c62364c33ddbafa0ba865978d3ffdaf9d41
Refetching... File renamed to '/var/distfiles/activesupport-2.0.2.gem._checksum_failure_.reS2im'

>>> Downloading 'http://trumpetti.atm.tut.fi/gentoo/distfiles/activesupport-2.0.2.gem'
--2008-03-26 15:23:00--  http://trumpetti.atm.tut.fi/gentoo/distfiles/activesupport-2.0.2.gem
Resolving trumpetti.atm.tut.fi... 130.230.54.100
Connecting to trumpetti.atm.tut.fi|130.230.54.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 234496 (229K) [text/plain]
Saving to: `/var/distfiles/activesupport-2.0.2.gem'

100%[==================================================================================================================================>] 234,496     --.-K/s   in 0.05s

2008-03-26 15:23:00 (4.17 MB/s) - `/var/distfiles/activesupport-2.0.2.gem' saved [234496/234496]

>>> Unpacking source...
>>> Source unpacked.
pena activesupport # devebuild activesupport-2.0.2.ebuild clean unpack
!!! Previously fetched file: 'activesupport-2.0.2.gem'
!!! Reason: Failed on RMD160 verification
!!! Got:      2b70cf3eb6740121f793c2b9116c74f06c6b08da
!!! Expected: 2b1d7c62364c33ddbafa0ba865978d3ffdaf9d41
Refetching... File renamed to '/var/distfiles/activesupport-2.0.2.gem._checksum_failure_.reS2im'

>>> Downloading 'http://trumpetti.atm.tut.fi/gentoo/distfiles/activesupport-2.0.2.gem'
--2008-03-26 15:51:22--  http://trumpetti.atm.tut.fi/gentoo/distfiles/activesupport-2.0.2.gem
Resolving trumpetti.atm.tut.fi... 130.230.54.100
Connecting to trumpetti.atm.tut.fi|130.230.54.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 234496 (229K) [text/plain]
Saving to: `/var/distfiles/activesupport-2.0.2.gem'

100%[==================================================================================================================================>] 234,496     --.-K/s   in 0.06s

2008-03-26 15:51:22 (3.66 MB/s) - `/var/distfiles/activesupport-2.0.2.gem' saved [234496/234496]

>>> Unpacking source...
>>> Source unpacked.

The Manifest entry is borked and Portage doesn't complain about it when strict is off. When there aren't any problems ebuild does check it:

pena activesupport # devebuild activesupport-1.3.1.ebuild clean unpack
 * activesupport-1.3.1.gem RMD160 SHA1 SHA256 size ;-) ...                                                                                                           [ ok ]
>>> Unpacking source...
>>> Source unpacked.
Comment 1 Zac Medico gentoo-dev 2008-03-26 16:36:19 UTC
So, the expected behavior is that it should show a warning message and continue despite the invalid checksum?
Comment 2 Petteri Räty (RETIRED) gentoo-dev 2008-03-26 22:31:40 UTC
(In reply to comment #1)
> So, the expected behavior is that it should show a warning message and continue
> despite the invalid checksum?
> 

It should fail like it does when the file is not already in DISTDIR.
Comment 3 Zac Medico gentoo-dev 2008-03-26 23:07:11 UTC
Hmm, are we talking about behavior with FEATURES=strict enabled or disabled? Perhaps the bug summary should say FEATURES=strict instead of FEATURES=-strict? If you are trying to confuse me then you have succeeded. :P
Comment 4 Zac Medico gentoo-dev 2008-03-26 23:25:20 UTC
from make.conf.5:

strict
    Have portage react strongly to conditions that have the potential to be dangerous (like missing or incorrect digests for ebuilds or distfiles).


So, shouldn't it ignore an incorrect digest if "strict" is disabled?
Comment 5 Marius Mauch (RETIRED) gentoo-dev 2008-03-27 09:22:32 UTC
Historically "strict" enabled checksum checks for the manifest types EBUILD and AUX (and MISC in some versions), but DIST files were always checked independent of "strict".
It doesn't make sense to skip checksum verification of distfiles in this case anyway as it only delays the failure tilll the checksum check before unpack, while for other types the check is skipped completely with "-strict".
Comment 6 Zac Medico gentoo-dev 2008-03-27 16:50:48 UTC
Okay, it's fixed in svn r9519 so that distfiles are always checked in any case.
Comment 7 Zac Medico gentoo-dev 2008-04-04 22:24:50 UTC
This is fixed in 2.1.5_rc1.