Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
@ 2023-12-26 12:02 Petr Vorel
  2023-12-26 21:18 ` Yann E. MORIN
  0 siblings, 1 reply; 2+ messages in thread
From: Petr Vorel @ 2023-12-26 12:02 UTC (permalink / raw)
  To: buildroot; +Cc: Petr Vorel, Yann E. MORIN, Thomas Petazzoni

Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
which is signed and thus has different checksum than "Source code (tar.gz)"
generated by github. Therefore different URL needs to be used to get
correct checksum.

Fixes:

  http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c

Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
---
Hi all,

I'm sorry for this error.  Although I tested package with utils/test-pkg
I probably had cached package in dl/iputils, that's why I haven't
noticed failing checksum [1]:

>>> iputils 20231222 Downloading
wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
--2023-12-25 14:18:12--  https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
Resolving github.com (github.com)... 192.30.255.113
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
--2023-12-25 14:18:13--  https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
...
2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]

ERROR: while checking hashes from package/iputils//iputils.hash
ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
ERROR: got     : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'

Package which buildroot uses via $(call github ...) is from archive:

$ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
$ sha256sum /tmp/iputils-20231222.tar.gz
18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f  /tmp/iputils-20231222.tar.gz

But file which can be downloaded from releases page [2] is different:

$ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
$ sha256sum iputils-20231222.tar.gz
e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775  iputils-20231222.tar.gz

Previously we used file generated by iputils, which has the same checksum as
these from archive:
$ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
$ sha256sum 20231222.tar.gz
18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f  20231222.tar.gz

In the package I used the checksum which is generated with uploaded
files and uploaded with them [3].

I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
content is the same. But the size differs:

$ stat -c "%s %n"  20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
546838 20231222.tar.gz
546838 /tmp/iputils-20231222.tar.gz
548875 iputils-20231222.tar.gz

I suppose the difference is that I signed files in the release [2], but
files in archive are generated by github, thus obviously not signed.
I suppose this is obvious, but until now I haven't realized it.

Kind regards,
Petr

[1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
[2] https://github.com/iputils/iputils/releases/tag/20231222
[3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc

 package/iputils/iputils.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
index a8f93488bb..bcf440ec93 100644
--- a/package/iputils/iputils.mk
+++ b/package/iputils/iputils.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 IPUTILS_VERSION = 20231222
-IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
+IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
 IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
 IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
 IPUTILS_CPE_ID_VENDOR = iputils_project
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-26 21:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-26 12:02 [Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL Petr Vorel
2023-12-26 21:18 ` Yann E. MORIN

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox