Looks like the change in the libsamplerate hash was harmless. In any case,
the maintainer of libsamplerate has replaced the tarball with the previous
version.
--- Begin Message ---
Karn Kallio wrote:
> Hello,
>
> The Linux distribution NixOS ( http://nixos.org ) has a package for
> libsamplerate version 0.1.7, which contains a hash value which was derived
> from the tarball downloaded from the URL
>
> http://www.mega-nerd.com/SRC/libsamplerate-0.1.7.tar.gz
>
> some time ago. At the time of packaging libsamplerate, the hash of the
> tarball was
>
> 1m1iwzpcny42kcqv5as2nyb0ggrb56wzckpximqpp2y74dipdf4q
>
> However the tarball as downloaded today has a hash of
>
> 175w1n4x4wdf36di7bxqlx919qgysyr0kw3fymisq8q398i4d9p0
>
> so it would seem that the tarball available on the server for the version
> 0.1.7 has changed.
>
> Is this change legitimate?
I've just checked this very thoroughly. The file currently on the
web site is legitimate but not actually the right one.
When I initially uploaded 0.1.7 I go a bug report about an hour
later which was fixed and the re-uploaded with the same version.
However, when I later moved the website to another machine, I
somehow managed to get the older incorrect version of the tarball.
I had an known correct tarball that never left my machine and the
only difference between that tarball and the one you grabbed from
the website are the changes between the original upload and the
fixed upload a couple of hours later.
I have now updated the download page:
http://www.mega-nerd.com/SRC/download.html
to point to the second fixed tarball and a GPG signature of that
tarball.
Sorry for the confusion (and the diligence of checking). For an
indication of my current level of paranoia have a read of this:
http://www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/malware.html
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
--- End Message ---
_______________________________________________
nix-dev mailing list
[email protected]
https://mail.cs.uu.nl/mailman/listinfo/nix-dev
