Will the mirror script notice the changed checksums in the Portfile and attempt to grab a match? -- If not, we should probably "fix" that.
Will adding it to https://svn.macosforge.org/repository/macports/distfiles/deluge cause the mirrors to find this one instead? On Sep 30, 2010, at 10:14, David Evans wrote: > On 9/30/10 9:23 AM, Bayard Bell wrote: >> I've been trying to build deluge 1.3.0 but am getting failures for all >> three checksums. Here's what I see in the logs: >> >> :msg:fetch ---> Attempting to fetch deluge-1.3.0.tar.bz2 >> from http://download.deluge-torrent.org/source/ >> :msg:fetch ---> Verifying checksum(s) for deluge >> :debug:checksum checksum phase started at Thu Sep 30 15:48:32 BST 2010 >> :debug:checksum Executing org.macports.checksum (deluge) >> :info:checksum ---> Checksumming deluge-1.3.0.tar.bz2 >> :error:checksum Checksum (md5) mismatch for deluge-1.3.0.tar.bz2 >> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 md5 >> d3cdb501983fcf793ee368b5a8e429c0 >> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 md5 >> 5fca34e2e31753a8ba0ccb942f0e993e >> :error:checksum Checksum (sha1) mismatch for deluge-1.3.0.tar.bz2 >> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 sha1 >> 75c1030bbd32c9eebea53c021e19035ebe343c14 >> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 sha1 >> 8acefff67bd82e38314b43887bd5f10da9a12052 >> :error:checksum Checksum (rmd160) mismatch for deluge-1.3.0.tar.bz2 >> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 rmd160 >> 28d2162d67684f1969ed5a8882dea358bb022bd2 >> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 rmd160 >> dca83b23603a140d4abbb4de7672bf4259018167 >> :info:checksum The correct checksum line may be: >> :info:checksum checksums md5 >> 5fca34e2e31753a8ba0ccb942f0e993e \ >> sha1 8acefff67bd82e38314b43887bd5f10da9a12052 \ >> rmd160 dca83b23603a140d4abbb4de7672bf4259018167 >> :error:checksum Target org.macports.checksum returned: Unable to >> verify file checksums >> :debug:checksum Backtrace: Unable to verify file checksums >> while executing >> "$procedure $targetname" >> >> I've checked the release notes >> (http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.0), and it >> appears that either someone has completely hijacked the distribution >> infrastructure for deluge and replaced the checksum values or that >> macports has got it wrong. I'm not sure why macports would have this >> wrong, but I did notice the following further details: >> >> 1) these aren't the checksums for the earlier 1.3.0 release candidates >> 2) the changeset for 1.3.0 that provides these checksums >> (https://trac.macports.org/changeset/71478) is dated September 14, >> whereas the distribution I'm trying to download dates the bz2 source >> September 18, which is the same date as given on the release notes, >> suggesting that macports pushed 1.3.0 pre-release and thus ended up >> with the wrong checksums >> 3) trying to find copies of 1.3.0 through alternate distribution >> channels, I don't find anyone else's bz2 distro to compare, but I do >> notice that numerous sites announce the release on the 14th and >> provide various other types of distribution as of that date, noting >> that release notes are not yet available, suggesting that something >> changed between announcement and initial availability and the release >> for which notes are available, which may be as trivial a difference as >> the addition of release notes >> 4) unfortunately there's neither SSL-verifiable release notes >> (deluge-torrent.org <http://deluge-torrent.org/> is a virtual domain >> running on the OSU Open Source Lab, where the certificate is expired >> and doesn't support validation of the virtually hosted domains) nor >> signed checksums (I've posted to the deluge forums about this problem >> in attributing the checksums and verifying their integrity) >> >> All the same, I tend to think that this is not a case of hijacking a >> distribution channel to propagate trojaned software. I'm going to go >> ahead and build this via a local Portfile override, but I'd appreciate >> another pair of eyes on this, just in case I'm wrong. >> >> Cheers, >> Bayard >> >> >> _______________________________________________ >> macports-users mailing list >> [email protected] >> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users > It appears that the deluge-torrent.org prematurely published a copy of > 1.3.0 on their site and later retracted > it, substituting a different file with the same version number. > Unfortunately, the deluge port was > updated to 1.3.0 while the old file still existed. > > I agree that the new version is probably legitimate but there is > difficulty in verifying the checksums as > you have stated. > > In addition, the earlier version of the file is cached on the macports > own mirrors so the port will fetch > a different version of the file depending on which site it thinks is > closer. In my case, I always get > it from distfiles.macports.org, which is geographically closer to me > than the OSU site. So the checksums > pass. > > So a question for the more knowledgable is how to purge the old file > from the macports mirrors > and/or under which circumstances it will be automatically updated. > > Dave > > > > _______________________________________________ > macports-users mailing list > [email protected] > http://lists.macosforge.org/mailman/listinfo.cgi/macports-users _______________________________________________ macports-users mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
