| Message ID | 20231226120251.693371-1-petr.vorel@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/iputils: fix IPUTILS_SITE URL | expand |
Petr, All, On 2023-12-26 13:02 +0100, Petr Vorel spake thusly: > Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz, > which is signed and thus has different checksum than "Source code (tar.gz)" > generated by github. Therefore different URL needs to be used to get > correct checksum. > > Fixes: > > http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c > > Fixes: 32da4422f9 ("package/iputils: bump version to 20231222") > Signed-off-by: Petr Vorel <petr.vorel@gmail.com> Applied to master, thanks. > --- > Hi all, > > I'm sorry for this error. Although I tested package with utils/test-pkg > I probably had cached package in dl/iputils, that's why I haven't > noticed failing checksum [1]: Ah, I also got bitten a few times now and then. No worries, thank you for fixing it up promptly! Regards, Yann E. MORIN. > >>> iputils 20231222 Downloading > wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz' > --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz > Resolving github.com (github.com)... 192.30.255.113 > Connecting to github.com (github.com)|192.30.255.113|:443... connected. > HTTP request sent, awaiting response... 302 Found > Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following] > --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 > Resolving codeload.github.com (codeload.github.com)... 192.30.255.121 > Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected. > HTTP request sent, awaiting response... 200 OK > Length: unspecified [application/x-gzip] > Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' > ... > 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838] > > ERROR: while checking hashes from package/iputils//iputils.hash > ERROR: iputils-20231222.tar.gz has wrong sha256 hash: > ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 > ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f > ERROR: Incomplete download, or man-in-the-middle (MITM) attack > wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz' > > Package which buildroot uses via $(call github ...) is from archive: > > $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz > $ sha256sum /tmp/iputils-20231222.tar.gz > 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz > > But file which can be downloaded from releases page [2] is different: > > $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz > $ sha256sum iputils-20231222.tar.gz > e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz > > Previously we used file generated by iputils, which has the same checksum as > these from archive: > $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz > $ sha256sum 20231222.tar.gz > 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz > > In the package I used the checksum which is generated with uploaded > files and uploaded with them [3]. > > I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the > content is the same. But the size differs: > > $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz > 546838 20231222.tar.gz > 546838 /tmp/iputils-20231222.tar.gz > 548875 iputils-20231222.tar.gz > > I suppose the difference is that I signed files in the release [2], but > files in archive are generated by github, thus obviously not signed. > I suppose this is obvious, but until now I haven't realized it. > > Kind regards, > Petr > > [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log > [2] https://github.com/iputils/iputils/releases/tag/20231222 > [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc > > package/iputils/iputils.mk | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk > index a8f93488bb..bcf440ec93 100644 > --- a/package/iputils/iputils.mk > +++ b/package/iputils/iputils.mk > @@ -5,7 +5,7 @@ > ################################################################################ > > IPUTILS_VERSION = 20231222 > -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION)) > +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION) > IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause > IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2 > IPUTILS_CPE_ID_VENDOR = iputils_project > -- > 2.43.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk index a8f93488bb..bcf440ec93 100644 --- a/package/iputils/iputils.mk +++ b/package/iputils/iputils.mk @@ -5,7 +5,7 @@ ################################################################################ IPUTILS_VERSION = 20231222 -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION)) +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION) IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2 IPUTILS_CPE_ID_VENDOR = iputils_project
Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz, which is signed and thus has different checksum than "Source code (tar.gz)" generated by github. Therefore different URL needs to be used to get correct checksum. Fixes: http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c Fixes: 32da4422f9 ("package/iputils: bump version to 20231222") Signed-off-by: Petr Vorel <petr.vorel@gmail.com> --- Hi all, I'm sorry for this error. Although I tested package with utils/test-pkg I probably had cached package in dl/iputils, that's why I haven't noticed failing checksum [1]: >>> iputils 20231222 Downloading wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz' --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz Resolving github.com (github.com)... 192.30.255.113 Connecting to github.com (github.com)|192.30.255.113|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following] --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 Resolving codeload.github.com (codeload.github.com)... 192.30.255.121 Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/x-gzip] Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' ... 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838] ERROR: while checking hashes from package/iputils//iputils.hash ERROR: iputils-20231222.tar.gz has wrong sha256 hash: ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f ERROR: Incomplete download, or man-in-the-middle (MITM) attack wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz' Package which buildroot uses via $(call github ...) is from archive: $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz $ sha256sum /tmp/iputils-20231222.tar.gz 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz But file which can be downloaded from releases page [2] is different: $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz $ sha256sum iputils-20231222.tar.gz e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz Previously we used file generated by iputils, which has the same checksum as these from archive: $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz $ sha256sum 20231222.tar.gz 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz In the package I used the checksum which is generated with uploaded files and uploaded with them [3]. I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the content is the same. But the size differs: $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz 546838 20231222.tar.gz 546838 /tmp/iputils-20231222.tar.gz 548875 iputils-20231222.tar.gz I suppose the difference is that I signed files in the release [2], but files in archive are generated by github, thus obviously not signed. I suppose this is obvious, but until now I haven't realized it. Kind regards, Petr [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log [2] https://github.com/iputils/iputils/releases/tag/20231222 [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc package/iputils/iputils.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)