On Wed, 2022-04-13 at 11:39 -1000, Steve Sakoman wrote: > I did another experiment, where I disabled generation of the sha256 > entries in Release (by adding --no-sha256 to the apt-ftparchive > command) > > As a result we get past this first hash mismatch in Release, but then > get later hash mismatches when it tries to download .debs.
I am able to get past this, albeit with a hack. This fixes the sha256 sum in the Release file, as well as verification of the .deb files. The original test then passes: RESULTS - apt.AptRepoTest.test_apt_install_from_repo: PASSED (46.75s) The hack to reduce the optimisation level for apt-native and apt. By default it uses CXXFLAGS="-g -O2". Reducing this to -O1 fixes the checksums. > The issue is happening on Fedora 35 and Alma 8, so no > buildtools-tarball in this case! Fedora 35 is using gcc-11.2.1, could you check what Alma 8 uses? Here are a few other things I checked, prior to noticing the optimisation level issue: 1) we are using apt 1.2.31; the latest 1.2.y version is 1.2.35 - this still has the problem with bad sha256sums - it does include several CVE fixes which we might want - it added a new dependency on systemd 2) main branch version is 2.3.5 - it switched to CMAKE - many new dependencies - I got it to configure, but not compile - custom crypto code seems to be dropped, in favour of gcrypt - presumably this would fix the sha256 however I cannot confirm Regards, Ralph
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164377): https://lists.openembedded.org/g/openembedded-core/message/164377 Mute This Topic: https://lists.openembedded.org/mt/90107518/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
