Thanks Markus that topic is trend in mastodon now. Complicated not to read about it.
Not only the latest versions are disabled: the whole repo https://github.com/tukaani-project/xz/ O_O I find strange that it complains about a different hash, when it cannot download the file at all. And it only fails on windows! Are we using a different library in Linux? Cheers On Mon, 1 Apr 2024 at 11:55, Markus Neteler <[email protected]> wrote: > On Mon, Apr 1, 2024 at 11:50 AM Javier Jimenez Shaw via PROJ > <[email protected]> wrote: > > > > I just updated my master branch of PROJ, and got emails about windows > failing > > > https://github.com/jjimenezshaw/PROJ/actions/runs/8506414730/job/23296571430 > > > > Downloading https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz > > [DEBUG] Trying to hash > C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part > > [DEBUG] C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part > has hash > 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989 > > error: Failed to download from mirror set > > error: File does not have the expected hash: > > url: https://github.com/tukaani-project/xz/archive/v5.6.0.tar.gz > > File: C:\vcpkg\downloads\tukaani-project-xz-v5.6.0.tar.gz.3656.part > > Expected hash: > 0aa74e01c019c1d3893cf16f53b300ba4e74c6aa9febabf57ddb49b28615d76862eeb746c54c2085efd37c7e8cc0829014d9b7ad481a76294bc929b3cca91336 > > Actual hash: > 7e3f1d71073b8e63db9aed60da80545ac06ee4c5177d6ecab528ebd16efc1bb1e4280b6ed5211dcba1069392d4023fa3356b1cc9aff57b9537f7fc4d6b3fa989 > > > > ... interesting. > > The latest xz library version(s) have been backdoored and hence > disabled on GitHub. > Random page: > > https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ > > Markus >
_______________________________________________ PROJ mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/proj
