On Tue, Apr 12, 2022 at 3:21 PM Ralph Siemsen <[email protected]> wrote: > > On Tue, Apr 12, 2022 at 5:49 PM Steve Sakoman <[email protected]> wrote: > > > I added a debug option to the failing command and did another autobuilder > > run. > > > > You can see the output here: > > > > https://errors.yoctoproject.org/Errors/Details/654608/ > > Okay, same error, "Hash Sum mismatch". And if I squint between all the > URL-encoding, I can see the md5/sha1/sha256/sha512sum values. > > The "apt update" command is doing the following: > - fetch the file called "Release" > - fetch the file called "Packages.gz" --> error occurs here > > Looking inside the Release file, it is plain text, and contains the > md5/sha1/sha256/sha512 sums of both Packages and Packages.gz (and also > the first two lines of Release). > > Manually checking each of those sums reveals an inconsistency: all the > sha256 values inside Release are incorrect, while all the other > md1/sha1/sha512 values are correct. > > And when we look at the URL-encoded debug info... the sha256 value is > the correct one for Packages.gz (as computed manually). However it > does not match the (incorrect) value within the Release file. Thus it > seems apt-get is justified when it complains about "Hash Sum > mismatch". > > Going back to my Ubuntu system, and looking at the generated Release > file... all the checksums are correct, including the sha256sum. > > So I am now looking into how Release file gets generated... as the > problem appears to be there... and it happens on Fedora but not > Ubuntu.
As far as I can tell it is done here: https://git.yoctoproject.org/poky/tree/meta/lib/oe/package_manager.py?h=dunfell#n301 > One additional point to add: on the same Fedora 35 system, I did a > full rebuild *without* with xz/gzip CVE fixes, and the apt failure > still occurs. To be certain, I nuked cache, sstate-cache and tmp (so > basically the entire build directory) and the rebuild took several > hours. Now that is really strange! In my experience it has only appeared after adding the zlib or xz CVE fix patches. I just started two runs on the autobuilder, with the zlib patch as the only difference. Both on Fedora 35. Let's see if I can confirm what you are seeing! I don't have a local Fedora 35 machine, so I need to rely on the autobuilder. Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164332): https://lists.openembedded.org/g/openembedded-core/message/164332 Mute This Topic: https://lists.openembedded.org/mt/90107518/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
