* [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
@ 2023-12-26 12:02 Petr Vorel
2023-12-26 21:18 ` Yann E. MORIN
0 siblings, 1 reply; 2+ messages in thread
From: Petr Vorel @ 2023-12-26 12:02 UTC (permalink / raw)
To: buildroot; +Cc: Petr Vorel, Yann E. MORIN, Thomas Petazzoni
Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
which is signed and thus has different checksum than "Source code (tar.gz)"
generated by github. Therefore different URL needs to be used to get
correct checksum.
Fixes:
http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
---
Hi all,
I'm sorry for this error. Although I tested package with utils/test-pkg
I probably had cached package in dl/iputils, that's why I haven't
noticed failing checksum [1]:
>>> iputils 20231222 Downloading
wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
--2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
Resolving github.com (github.com)... 192.30.255.113
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
--2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
...
2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]
ERROR: while checking hashes from package/iputils//iputils.hash
ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'
Package which buildroot uses via $(call github ...) is from archive:
$ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
$ sha256sum /tmp/iputils-20231222.tar.gz
18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz
But file which can be downloaded from releases page [2] is different:
$ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
$ sha256sum iputils-20231222.tar.gz
e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz
Previously we used file generated by iputils, which has the same checksum as
these from archive:
$ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
$ sha256sum 20231222.tar.gz
18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz
In the package I used the checksum which is generated with uploaded
files and uploaded with them [3].
I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
content is the same. But the size differs:
$ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
546838 20231222.tar.gz
546838 /tmp/iputils-20231222.tar.gz
548875 iputils-20231222.tar.gz
I suppose the difference is that I signed files in the release [2], but
files in archive are generated by github, thus obviously not signed.
I suppose this is obvious, but until now I haven't realized it.
Kind regards,
Petr
[1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
[2] https://github.com/iputils/iputils/releases/tag/20231222
[3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc
package/iputils/iputils.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
index a8f93488bb..bcf440ec93 100644
--- a/package/iputils/iputils.mk
+++ b/package/iputils/iputils.mk
@@ -5,7 +5,7 @@
################################################################################
IPUTILS_VERSION = 20231222
-IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
+IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
IPUTILS_CPE_ID_VENDOR = iputils_project
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
2023-12-26 12:02 [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL Petr Vorel
@ 2023-12-26 21:18 ` Yann E. MORIN
0 siblings, 0 replies; 2+ messages in thread
From: Yann E. MORIN @ 2023-12-26 21:18 UTC (permalink / raw)
To: Petr Vorel; +Cc: Thomas Petazzoni, buildroot
Petr, All,
On 2023-12-26 13:02 +0100, Petr Vorel spake thusly:
> Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
> which is signed and thus has different checksum than "Source code (tar.gz)"
> generated by github. Therefore different URL needs to be used to get
> correct checksum.
>
> Fixes:
>
> http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
>
> Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
> Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Applied to master, thanks.
> ---
> Hi all,
>
> I'm sorry for this error. Although I tested package with utils/test-pkg
> I probably had cached package in dl/iputils, that's why I haven't
> noticed failing checksum [1]:
Ah, I also got bitten a few times now and then. No worries, thank you
for fixing it up promptly!
Regards,
Yann E. MORIN.
> >>> iputils 20231222 Downloading
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
> --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> Resolving github.com (github.com)... 192.30.255.113
> Connecting to github.com (github.com)|192.30.255.113|:443... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
> --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
> Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
> Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [application/x-gzip]
> Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
> ...
> 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]
>
> ERROR: while checking hashes from package/iputils//iputils.hash
> ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
> ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
> ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'
>
> Package which buildroot uses via $(call github ...) is from archive:
>
> $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> $ sha256sum /tmp/iputils-20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz
>
> But file which can be downloaded from releases page [2] is different:
>
> $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
> $ sha256sum iputils-20231222.tar.gz
> e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz
>
> Previously we used file generated by iputils, which has the same checksum as
> these from archive:
> $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
> $ sha256sum 20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz
>
> In the package I used the checksum which is generated with uploaded
> files and uploaded with them [3].
>
> I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
> content is the same. But the size differs:
>
> $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
> 546838 20231222.tar.gz
> 546838 /tmp/iputils-20231222.tar.gz
> 548875 iputils-20231222.tar.gz
>
> I suppose the difference is that I signed files in the release [2], but
> files in archive are generated by github, thus obviously not signed.
> I suppose this is obvious, but until now I haven't realized it.
>
> Kind regards,
> Petr
>
> [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
> [2] https://github.com/iputils/iputils/releases/tag/20231222
> [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc
>
> package/iputils/iputils.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index a8f93488bb..bcf440ec93 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> IPUTILS_VERSION = 20231222
> -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
> +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
> IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
> IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
> IPUTILS_CPE_ID_VENDOR = iputils_project
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-26 21:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-26 12:02 [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL Petr Vorel
2023-12-26 21:18 ` Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox