[Buildroot] [PATCH 1/1] package/iputils: fix IPUTILS_SITE URL
Yann E. MORIN
yann.morin.1998 at free.fr
Tue Dec 26 21:18:02 UTC 2023
Petr, All,
On 2023-12-26 13:02 +0100, Petr Vorel spake thusly:
> Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
> which is signed and thus has different checksum than "Source code (tar.gz)"
> generated by github. Therefore different URL needs to be used to get
> correct checksum.
>
> Fixes:
>
> http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
>
> Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
> Signed-off-by: Petr Vorel <petr.vorel at gmail.com>
Applied to master, thanks.
> ---
> Hi all,
>
> I'm sorry for this error. Although I tested package with utils/test-pkg
> I probably had cached package in dl/iputils, that's why I haven't
> noticed failing checksum [1]:
Ah, I also got bitten a few times now and then. No worries, thank you
for fixing it up promptly!
Regards,
Yann E. MORIN.
> >>> iputils 20231222 Downloading
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' 'https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz'
> --2023-12-25 14:18:12-- https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> Resolving github.com (github.com)... 192.30.255.113
> Connecting to github.com (github.com)|192.30.255.113|:443... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222 [following]
> --2023-12-25 14:18:13-- https://codeload.github.com/iputils/iputils/tar.gz/refs/tags/20231222
> Resolving codeload.github.com (codeload.github.com)... 192.30.255.121
> Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [application/x-gzip]
> Saving to: '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output'
> ...
> 2023-12-25 14:18:13 (13.4 MB/s) - '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.nEeIiH/output' saved [546838]
>
> ERROR: while checking hashes from package/iputils//iputils.hash
> ERROR: iputils-20231222.tar.gz has wrong sha256 hash:
> ERROR: expected: e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775
> ERROR: got : 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> wget --passive-ftp -nd -t 3 -O '/home/buildroot/autobuild/instance-1/output-1/build/.iputils-20231222.tar.gz.1wDgdq/output' 'https://sources.buildroot.net/iputils/iputils-20231222.tar.gz'
>
> Package which buildroot uses via $(call github ...) is from archive:
>
> $ wget --passive-ftp -nd -t 3 -O /tmp/iputils-20231222.tar.gz https://github.com/iputils/iputils/archive/20231222/iputils-20231222.tar.gz
> $ sha256sum /tmp/iputils-20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f /tmp/iputils-20231222.tar.gz
>
> But file which can be downloaded from releases page [2] is different:
>
> $ wget --passive-ftp -nd -t 3 -O iputils-20231222.tar.gz https://github.com/iputils/iputils/releases/download/20231222/iputils-20231222.tar.gz
> $ sha256sum iputils-20231222.tar.gz
> e3ce5e1a1f795c2d520985463b90e20f9388b7060796d54ad64509aa8e4af775 iputils-20231222.tar.gz
>
> Previously we used file generated by iputils, which has the same checksum as
> these from archive:
> $ wget -c https://github.com/iputils/iputils/archive/refs/tags/20231222.tar.gz
> $ sha256sum 20231222.tar.gz
> 18d51e7b416da0ecbc0ae18a2cba76407ca0b5b3f32c356034f258a0cb56793f 20231222.tar.gz
>
> In the package I used the checksum which is generated with uploaded
> files and uploaded with them [3].
>
> I compared the content of 20231222.tar.gz and iputils-20231222.tar.gz, the
> content is the same. But the size differs:
>
> $ stat -c "%s %n" 20231222.tar.gz /tmp/iputils-20231222.tar.gz iputils-20231222.tar.gz
> 546838 20231222.tar.gz
> 546838 /tmp/iputils-20231222.tar.gz
> 548875 iputils-20231222.tar.gz
>
> I suppose the difference is that I signed files in the release [2], but
> files in archive are generated by github, thus obviously not signed.
> I suppose this is obvious, but until now I haven't realized it.
>
> Kind regards,
> Petr
>
> [1] http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c/build-end.log
> [2] https://github.com/iputils/iputils/releases/tag/20231222
> [3] https://github.com/iputils/iputils/releases/download/20231222/sha256sums.asc
>
> package/iputils/iputils.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index a8f93488bb..bcf440ec93 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> IPUTILS_VERSION = 20231222
> -IPUTILS_SITE = $(call github,iputils,iputils,$(IPUTILS_VERSION))
> +IPUTILS_SITE = https://github.com/iputils/iputils/releases/download/$(IPUTILS_VERSION)
> IPUTILS_LICENSE = GPL-2.0+, BSD-3-Clause
> IPUTILS_LICENSE_FILES = LICENSE Documentation/LICENSE.BSD3 Documentation/LICENSE.GPL2
> IPUTILS_CPE_ID_VENDOR = iputils_project
> --
> 2.43.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list