[1/1] mongoose: fix hash

Message ID 20180906214220.854-1-fontaine.fabrice@gmail.com
State Rejected
Headers show
Series
  • [1/1] mongoose: fix hash
Related show

Commit Message

Fabrice Fontaine Sept. 6, 2018, 9:42 p.m.
When bumping to version 6.7, hash was not updated

Fixes:
 - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/mongoose/mongoose.hash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Baruch Siach Sept. 7, 2018, 3:35 a.m. | #1
Hi Fabrice,

Fabrice Fontaine writes:
> When bumping to version 6.7, hash was not updated

Commit 965c5ca57d3 (mongoose: bump to version 6.7) from April 2017, did
update the hash to its current value. You can find a tarball with this
hash at

  http://sources.buildroot.net/mongoose-6.7.tar.gz

But the current github download is indeed different. Not sure what went
wrong here, but this description is not correct.

baruch

> Fixes:
>  - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/mongoose/mongoose.hash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
> index d5252eb687..049cd74885 100644
> --- a/package/mongoose/mongoose.hash
> +++ b/package/mongoose/mongoose.hash
> @@ -1,2 +1,2 @@
>  # Locally computed:
> -sha256	ccc971298db70963d3f13766c3246a3c36ae7e388acfab7ba2180149d9c8c64f  mongoose-6.7.tar.gz
> +sha256	7033c4c9ad0aac2aaa53864ff0bee5468a327a78a3218fb753d55a426a791189  mongoose-6.7.tar.gz

--
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
Thomas Petazzoni Sept. 7, 2018, 7:12 a.m. | #2
Hello,

On Fri, 07 Sep 2018 06:35:21 +0300, Baruch Siach wrote:

> Fabrice Fontaine writes:
> > When bumping to version 6.7, hash was not updated  
> 
> Commit 965c5ca57d3 (mongoose: bump to version 6.7) from April 2017, did
> update the hash to its current value. You can find a tarball with this
> hash at
> 
>   http://sources.buildroot.net/mongoose-6.7.tar.gz
> 
> But the current github download is indeed different. Not sure what went
> wrong here, but this description is not correct.

I saw Yann and Peter talking about github tarballs having changed again:

18:29 < Jacmet> hmm, looks like github tarballs again changed content :/
18:29 < Jacmet> http://autobuild.buildroot.net/results/599/599920bc0a5821fd3fb0a028574a25a22e12430f/build-end.log
18:42 < y_morin> Jacmet: At the same time, the fallback to s.b.o timeout, so maybe it is not a github issue either?
18:43 < Jacmet> y_morin: well, it did get a tarball from github and the hash didn't match
18:43 < y_morin> Jacmet: Arg, indeed. I even had another sha256 than the one in the report.
18:44 < Jacmet> y_morin: and downloading it from github here I also get the same (wrong) hash

Best regards,

Thomas
Yann E. MORIN Sept. 9, 2018, 10:20 a.m. | #3
Fabrice, Thomas, All,

On 2018-09-07 09:12 +0200, Thomas Petazzoni spake thusly:
> On Fri, 07 Sep 2018 06:35:21 +0300, Baruch Siach wrote:
> > But the current github download is indeed different. Not sure what went
> > wrong here, but this description is not correct.
> I saw Yann and Peter talking about github tarballs having changed again:
> 
> 18:29 < Jacmet> hmm, looks like github tarballs again changed content :/
> 18:29 < Jacmet> http://autobuild.buildroot.net/results/599/599920bc0a5821fd3fb0a028574a25a22e12430f/build-end.log
> 18:42 < y_morin> Jacmet: At the same time, the fallback to s.b.o timeout, so maybe it is not a github issue either?
> 18:43 < Jacmet> y_morin: well, it did get a tarball from github and the hash didn't match
> 18:43 < y_morin> Jacmet: Arg, indeed. I even had another sha256 than the one in the report.
> 18:44 < Jacmet> y_morin: and downloading it from github here I also get the same (wrong) hash

That does not happen for all archives, though... :-/

And I can see that indeed the generated tarball is different from the
one on s.b.o.: it slightly differ in the way directory entries are
stored... Except for that, the actual content is the same.

Regards,
Yann E. MORIN.
Thomas Petazzoni Oct. 21, 2018, 4:06 p.m. | #4
Hello,

On Thu,  6 Sep 2018 23:42:20 +0200, Fabrice Fontaine wrote:
> When bumping to version 6.7, hash was not updated
> 
> Fixes:
>  - http://autobuild.buildroot.org/results/599920bc0a5821fd3fb0a028574a25a22e12430f
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/mongoose/mongoose.hash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

I marked this patch as Rejected, because it would break older Buildroot
releases. Indeed, all Buildroot releases since 2017.05 are using
Mongoose 6.7. They currently fail to download Mongoose from Github due
the hash mismatch, but they fall back to the Buildroot mirror
successfully.

If we update the hash, the Buildroot mirror will discard the current
6.7 tarball, and replace it with a new tarball having the new hash.
While this will make the new Buildroot releases happy it would break
older Buildroot releases, that would no longer be able to download
neither from Github nor from the Buildroot mirror.

So instead, we need to bump to a newer Mongoose version, so that we can
keep the old mongoose-6.7 tarball on the Buildroot mirror to keep old
Buildroot releases happy.

So I've applied the following changes instead:

951f15b16f6167f4205988e5dde4d13e2f560791 package/mongoose: bump to version 6.13
7e62211976e0b9ddfd05a11fb24c61ed8a9a4491 package/mongoose: add hash for license file
dea3ab68400503bebf4152277d63813508f43424 package/mongoose: add security patch fixing CVE-2018-10945

Best regards,

Thomas

Patch

diff --git a/package/mongoose/mongoose.hash b/package/mongoose/mongoose.hash
index d5252eb687..049cd74885 100644
--- a/package/mongoose/mongoose.hash
+++ b/package/mongoose/mongoose.hash
@@ -1,2 +1,2 @@ 
 # Locally computed:
-sha256	ccc971298db70963d3f13766c3246a3c36ae7e388acfab7ba2180149d9c8c64f  mongoose-6.7.tar.gz
+sha256	7033c4c9ad0aac2aaa53864ff0bee5468a327a78a3218fb753d55a426a791189  mongoose-6.7.tar.gz