From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Petr Vorel <petr.vorel@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
Date: Tue, 26 Dec 2023 22:18:02 +0100 [thread overview]
Message-ID: <ZYtDChMnbWe_CoyF@landeda> (raw)
In-Reply-To: <20231226120251.693371-1-petr.vorel@gmail.com>
Petr, All,
On 2023-12-26 13:02 +0100, Petr Vorel spake thusly:
> Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
> which is signed and thus has different checksum than "Source code (tar.gz)"
> generated by github. Therefore different URL needs to be used to get
> correct checksum.
>
> Fixes:
>
> http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
>
> Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
> Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Applied to master, thanks.
> ---
> Hi all,
>
> I'm sorry for this error. Although I tested package with utils/test-pkg
> I probably had cached package in dl/iputils, that's why I haven't
> noticed failing checksum [1]:
Ah, I also got bitten a few times now and then. No worries, thank you
for fixing it up promptly!
Regards,
Yann E. MORIN.
> >>> iputils 20231222 Downloading
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
> --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> Resolving github.com (github.com)... 192.30.255.113
> Connecting to github.com (github.com)|192.30.255.113|:443... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
> --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
> Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
> Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [application/x-gzip]
> Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
> ...
> 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]
>
> ERROR: while checking hashes from package/iputils//iputils.hash
> ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
> ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
> ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'
>
> Package which buildroot uses via $(call github ...) is from archive:
>
> $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> $ sha256sum /tmp/iputils-20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz
>
> But file which can be downloaded from releases page [2] is different:
>
> $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
> $ sha256sum iputils-20231222.tar.gz
> e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz
>
> Previously we used file generated by iputils, which has the same checksum as
> these from archive:
> $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
> $ sha256sum 20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz
>
> In the package I used the checksum which is generated with uploaded
> files and uploaded with them [3].
>
> I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
> content is the same. But the size differs:
>
> $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
> 546838 20231222.tar.gz
> 546838 /tmp/iputils-20231222.tar.gz
> 548875 iputils-20231222.tar.gz
>
> I suppose the difference is that I signed files in the release [2], but
> files in archive are generated by github, thus obviously not signed.
> I suppose this is obvious, but until now I haven't realized it.
>
> Kind regards,
> Petr
>
> [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
> [2] https://github.com/iputils/iputils/releases/tag/20231222
> [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc
>
> package/iputils/iputils.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index a8f93488bb..bcf440ec93 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> IPUTILS_VERSION = 20231222
> -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
> +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
> IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
> IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
> IPUTILS_CPE_ID_VENDOR = iputils_project
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-12-26 21:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-26 12:02 [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL Petr Vorel
2023-12-26 21:18 ` Yann E. MORIN [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZYtDChMnbWe_CoyF@landeda \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=petr.vorel@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox