From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Petr Vorel <petr.vorel@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
Date: Tue, 26 Dec 2023 22:18:02 +0100 [thread overview]
Message-ID: <ZYtDChMnbWe_CoyF@landeda> (raw)
In-Reply-To: <20231226120251.693371-1-petr.vorel@gmail.com>
Petr, All,
On 2023-12-26 13:02 +0100, Petr Vorel spake thusly:
> Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
> which is signed and thus has different checksum than "Source code (tar.gz)"
> generated by github. Therefore different URL needs to be used to get
> correct checksum.
>
> Fixes:
>
> http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
>
> Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
> Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Applied to master, thanks.
> ---
> Hi all,
>
> I'm sorry for this error. Although I tested package with utils/test-pkg
> I probably had cached package in dl/iputils, that's why I haven't
> noticed failing checksum [1]:
Ah, I also got bitten a few times now and then. No worries, thank you
for fixing it up promptly!
Regards,
Yann E. MORIN.
> >>> iputils 20231222 Downloading
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
> --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> Resolving github.com (github.com)... 192.30.255.113
> Connecting to github.com (github.com)|192.30.255.113|:443... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
> --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
> Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
> Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [application/x-gzip]
> Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
> ...
> 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]
>
> ERROR: while checking hashes from package/iputils//iputils.hash
> ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
> ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
> ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'
>
> Package which buildroot uses via $(call github ...) is from archive:
>
> $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> $ sha256sum /tmp/iputils-20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz
>
> But file which can be downloaded from releases page [2] is different:
>
> $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
> $ sha256sum iputils-20231222.tar.gz
> e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz
>
> Previously we used file generated by iputils, which has the same checksum as
> these from archive:
> $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
> $ sha256sum 20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz
>
> In the package I used the checksum which is generated with uploaded
> files and uploaded with them [3].
>
> I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
> content is the same. But the size differs:
>
> $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
> 546838 20231222.tar.gz
> 546838 /tmp/iputils-20231222.tar.gz
> 548875 iputils-20231222.tar.gz
>
> I suppose the difference is that I signed files in the release [2], but
> files in archive are generated by github, thus obviously not signed.
> I suppose this is obvious, but until now I haven't realized it.
>
> Kind regards,
> Petr
>
> [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
> [2] https://github.com/iputils/iputils/releases/tag/20231222
> [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc
>
> package/iputils/iputils.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index a8f93488bb..bcf440ec93 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> IPUTILS_VERSION = 20231222
> -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
> +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
> IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
> IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
> IPUTILS_CPE_ID_VENDOR = iputils_project
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-12-26 21:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-26 12:02 [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL Petr Vorel
2023-12-26 21:18 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZYtDChMnbWe_CoyF@landeda \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=petr.vorel@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.