I've been trying to build deluge 1.3.0 but am getting failures for all three
checksums. Here's what I see in the logs:
:msg:fetch ---> Attempting to fetch deluge-1.3.0.tar.bz2 from
http://download.deluge-torrent.org/source/
:msg:fetch ---> Verifying checksum(s) for deluge
:debug:checksum checksum phase started at Thu Sep 30 15:48:32 BST 2010
:debug:checksum Executing org.macports.checksum (deluge)
:info:checksum ---> Checksumming deluge-1.3.0.tar.bz2
:error:checksum Checksum (md5) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 md5
d3cdb501983fcf793ee368b5a8e429c0
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 md5
5fca34e2e31753a8ba0ccb942f0e993e
:error:checksum Checksum (sha1) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 sha1
75c1030bbd32c9eebea53c021e19035ebe343c14
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 sha1
8acefff67bd82e38314b43887bd5f10da9a12052
:error:checksum Checksum (rmd160) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 rmd160
28d2162d67684f1969ed5a8882dea358bb022bd2
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 rmd160
dca83b23603a140d4abbb4de7672bf4259018167
:info:checksum The correct checksum line may be:
:info:checksum checksums md5 5fca34e2e31753a8ba0ccb942f0e993e \
sha1 8acefff67bd82e38314b43887bd5f10da9a12052 \
rmd160 dca83b23603a140d4abbb4de7672bf4259018167
:error:checksum Target org.macports.checksum returned: Unable to verify file
checksums
:debug:checksum Backtrace: Unable to verify file checksums
while executing
"$procedure $targetname"
I've checked the release notes
(http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.0), and it appears that
either someone has completely hijacked the distribution infrastructure for
deluge and replaced the checksum values or that macports has got it wrong. I'm
not sure why macports would have this wrong, but I did notice the following
further details:
1) these aren't the checksums for the earlier 1.3.0 release candidates
2) the changeset for 1.3.0 that provides these checksums
(https://trac.macports.org/changeset/71478) is dated September 14, whereas the
distribution I'm trying to download dates the bz2 source September 18, which is
the same date as given on the release notes, suggesting that macports pushed
1.3.0 pre-release and thus ended up with the wrong checksums
3) trying to find copies of 1.3.0 through alternate distribution channels, I
don't find anyone else's bz2 distro to compare, but I do notice that numerous
sites announce the release on the 14th and provide various other types of
distribution as of that date, noting that release notes are not yet available,
suggesting that something changed between announcement and initial availability
and the release for which notes are available, which may be as trivial a
difference as the addition of release notes
4) unfortunately there's neither SSL-verifiable release notes
(deluge-torrent.org is a virtual domain running on the OSU Open Source Lab,
where the certificate is expired and doesn't support validation of the
virtually hosted domains) nor signed checksums (I've posted to the deluge
forums about this problem in attributing the checksums and verifying their
integrity)
All the same, I tend to think that this is not a case of hijacking a
distribution channel to propagate trojaned software. I'm going to go ahead and
build this via a local Portfile override, but I'd appreciate another pair of
eyes on this, just in case I'm wrong.
Cheers,
Bayard_______________________________________________
macports-users mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
