Message ID | 20180906214220.854-1-fontaine.fabrice@gmail.com |
---|---|
State | Rejected |
Headers | show |
Series | [1/1] mongoose: fix hash | expand |
Hi Fabrice, Fabrice Fontaine writes: > When bumping to version 6.7, hash was not updated Commit 965c5ca57d3 (mongoose: bump to version 6.7) from April 2017, did update the hash to its current value. You can find a tarball with this hash at http://sources.buildroot.net/mongoose-6.7.tar.gz But the current github download is indeed different. Not sure what went wrong here, but this description is not correct. baruch > Fixes: > - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/mongoose/mongoose.hash | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash > index d5252eb687..049cd74885 100644 > --- a/package/mongoose/mongoose.hash > +++ b/package/mongoose/mongoose.hash > @@ -1,2 +1,2 @@ > # Locally computed: > -sha256 ccc971298db70963d3f13766c3246a3c36ae7e388acfab7ba2180149d9c8c64f mongoose-6.7.tar.gz > +sha256 7033c4c9ad0aac2aaa53864ff0bee5468a327a78a3218fb753d55a426a791189 mongoose-6.7.tar.gz -- http://baruch.siach.name/blog/ ~. .~ Tk Open Systems =}------------------------------------------------ooO--U--Ooo------------{= - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
Hello, On Fri, 07 Sep 2018 06:35:21 +0300, Baruch Siach wrote: > Fabrice Fontaine writes: > > When bumping to version 6.7, hash was not updated > > Commit 965c5ca57d3 (mongoose: bump to version 6.7) from April 2017, did > update the hash to its current value. You can find a tarball with this > hash at > > http://sources.buildroot.net/mongoose-6.7.tar.gz > > But the current github download is indeed different. Not sure what went > wrong here, but this description is not correct. I saw Yann and Peter talking about github tarballs having changed again: 18:29 < Jacmet> hmm, looks like github tarballs again changed content :/ 18:29 < Jacmet> http://autobuild.buildroot.net/results/599/599920bc0a5821fd3fb0a028574a25a22e12430f/build-end.log 18:42 < y_morin> Jacmet: At the same time, the fallback to s.b.o timeout, so maybe it is not a github issue either? 18:43 < Jacmet> y_morin: well, it did get a tarball from github and the hash didn't match 18:43 < y_morin> Jacmet: Arg, indeed. I even had another sha256 than the one in the report. 18:44 < Jacmet> y_morin: and downloading it from github here I also get the same (wrong) hash Best regards, Thomas
Fabrice, Thomas, All, On 2018-09-07 09:12 +0200, Thomas Petazzoni spake thusly: > On Fri, 07 Sep 2018 06:35:21 +0300, Baruch Siach wrote: > > But the current github download is indeed different. Not sure what went > > wrong here, but this description is not correct. > I saw Yann and Peter talking about github tarballs having changed again: > > 18:29 < Jacmet> hmm, looks like github tarballs again changed content :/ > 18:29 < Jacmet> http://autobuild.buildroot.net/results/599/599920bc0a5821fd3fb0a028574a25a22e12430f/build-end.log > 18:42 < y_morin> Jacmet: At the same time, the fallback to s.b.o timeout, so maybe it is not a github issue either? > 18:43 < Jacmet> y_morin: well, it did get a tarball from github and the hash didn't match > 18:43 < y_morin> Jacmet: Arg, indeed. I even had another sha256 than the one in the report. > 18:44 < Jacmet> y_morin: and downloading it from github here I also get the same (wrong) hash That does not happen for all archives, though... :-/ And I can see that indeed the generated tarball is different from the one on s.b.o.: it slightly differ in the way directory entries are stored... Except for that, the actual content is the same. Regards, Yann E. MORIN.
Hello, On Thu, 6 Sep 2018 23:42:20 +0200, Fabrice Fontaine wrote: > When bumping to version 6.7, hash was not updated > > Fixes: > - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > package/mongoose/mongoose.hash | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I marked this patch as Rejected, because it would break older Buildroot releases. Indeed, all Buildroot releases since 2017.05 are using Mongoose 6.7. They currently fail to download Mongoose from Github due the hash mismatch, but they fall back to the Buildroot mirror successfully. If we update the hash, the Buildroot mirror will discard the current 6.7 tarball, and replace it with a new tarball having the new hash. While this will make the new Buildroot releases happy it would break older Buildroot releases, that would no longer be able to download neither from Github nor from the Buildroot mirror. So instead, we need to bump to a newer Mongoose version, so that we can keep the old mongoose-6.7 tarball on the Buildroot mirror to keep old Buildroot releases happy. So I've applied the following changes instead: 951f15b16f6167f4205988e5dde4d13e2f560791 package/mongoose: bump to version 6.13 7e62211976e0b9ddfd05a11fb24c61ed8a9a4491 package/mongoose: add hash for license file dea3ab68400503bebf4152277d63813508f43424 package/mongoose: add security patch fixing CVE-2018-10945 Best regards, Thomas
diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash index d5252eb687..049cd74885 100644 --- a/package/mongoose/mongoose.hash +++ b/package/mongoose/mongoose.hash @@ -1,2 +1,2 @@ # Locally computed: -sha256 ccc971298db70963d3f13766c3246a3c36ae7e388acfab7ba2180149d9c8c64f mongoose-6.7.tar.gz +sha256 7033c4c9ad0aac2aaa53864ff0bee5468a327a78a3218fb753d55a426a791189 mongoose-6.7.tar.gz
When bumping to version 6.7, hash was not updated Fixes: - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/mongoose/mongoose.hash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)