[1/1] package/ufs-utils: fix hash file
diff mbox series

Message ID 20250807094204.3505777-1-dario.binacchi@amarulasolutions.com
State New
Headers show
Series
  • [1/1] package/ufs-utils: fix hash file
Related show

Commit Message

Dario Binacchi Aug. 7, 2025, 9:42 a.m. UTC 
I think the issue is caused by PR [1] being merged without a rebase,
which may have triggered an automatic re-generation of the tar.gz
archive. Tests show that the tarball stored in Buildroot mirrors has a
SHA1 matching the one in the hash file, while the one downloaded from
the SanDisk repository has a different SHA1:

wget -nd -t 3 --connect-timeout=10 -O '/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output' 'https://github.com/SanDisk-Open-Source/ufs-utils/archive/v7.14.12/ufs-utils-7.14.12.tar.gz'
--2025-08-07 11:07:32--  https://github.com/SanDisk-Open-Source/ufs-utils/archive/v7.14.12/ufs-utils-7.14.12.tar.gz
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/SanDisk-Open-Source/ufs-utils/tar.gz/refs/tags/v7.14.12 [following]
--2025-08-07 11:07:32--  https://codeload.github.com/SanDisk-Open-Source/ufs-utils/tar.gz/refs/tags/v7.14.12
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output’

/home/dario/projects/buildroot/output/b     [ <=>                                                                                ]  77.76K  --.-KB/s    in 0.06s

2025-08-07 11:07:32 (1.32 MB/s) - ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output’ saved [79623]

ERROR: while checking hashes from package/ufs-utils/ufs-utils.hash
ERROR: ufs-utils-7.14.12.tar.gz has wrong sha256 hash:
ERROR: expected: 96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2
ERROR: got     : 96d15ce4b0990049d812d24afc2a62240c1a4aa534ea6aebb5aebd34dccb2dac
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
wget -nd -t 3 --connect-timeout=10 -O '/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output' 'https://sources.buildroot.net/ufs-utils/ufs-utils-7.14.12.tar.gz'
--2025-08-07 11:07:32--  https://sources.buildroot.net/ufs-utils/ufs-utils-7.14.12.tar.gz
Resolving sources.buildroot.net (sources.buildroot.net)... 2606:4700:20::681a:25, 2606:4700:20::ac43:4838, 2606:4700:20::681a:125, ...
Connecting to sources.buildroot.net (sources.buildroot.net)|2606:4700:20::681a:25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 79619 (78K) [application/x-gtar-compressed]
Saving to: ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output’

/home/dario/projects/buildroot/output/b 100%[===================================================================================>]  77.75K  --.-KB/s    in 0.02s

2025-08-07 11:07:33 (4.96 MB/s) - ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output’ saved [79619/79619]

ufs-utils-7.14.12.tar.gz: OK (sha256: 96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2)

Fixes:
https://autobuild.buildroot.org/results/b69/b69472d2eaf27dfcc97c300b96868cab52068ce9
https://autobuild.buildroot.org/results/429/429a28669d98c6f424f33a211eb0ebb48c6f4553
https://autobuild.buildroot.org/results/01b/01b90bd7d78a34ae732191b750efc69f195c78ec
https://autobuild.buildroot.org/results/a09/a097e48314be2f522238880e9ab4529cebeff47b

[1] https://github.com/SanDisk-Open-Source/ufs-utils/pull/70
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
---
 package/ufs-utils/ufs-utils.hash | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

'Julien Olivain' via Amarula Linux Aug. 7, 2025, 11:08 p.m. UTC | #1 
Hi Dario,

Thanks for the patch. I have few comments.

On 07/08/2025 11:42, Dario Binacchi wrote:
> I think the issue is caused by PR [1] being merged without a rebase,
> which may have triggered an automatic re-generation of the tar.gz
> archive.

This wording suggests you are not sure.

Looking at:
https://sources.buildroot.net/ufs-utils/ufs-utils-7.14.12.tar.gz
with hash:
sha256  96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2 
  ufs-utils-7.14.12.tar.gz

and:
https://github.com/SanDisk-Open-Source/ufs-utils/archive/v7.14.12/ufs-utils-7.14.12.tar.gz
with hash:
sha256  96d15ce4b0990049d812d24afc2a62240c1a4aa534ea6aebb5aebd34dccb2dac 
  ufs-utils-7.14.12.tar.gz

Running "diffoscope" on those two archives seems to point
toward the upstream commit:
https://github.com/SanDisk-Open-Source/ufs-utils/commit/989dcd297223d6896c5892532d14984326fa093d

The file dates are also different inside the tar file.

Could you reword the commit log to include those details, please?

> Tests show that the tarball stored in Buildroot mirrors has a
> SHA1 matching the one in the hash file, while the one downloaded from

   ^^^^ actually it is SHA256 (also below).

> the SanDisk repository has a different SHA1:
> 
> wget -nd -t 3 --connect-timeout=10 -O 
> '/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output' 
> 'https://github.com/SanDisk-Open-Source/ufs-utils/archive/v7.14.12/ufs-utils-7.14.12.tar.gz'
> --2025-08-07 11:07:32--  
> https://github.com/SanDisk-Open-Source/ufs-utils/archive/v7.14.12/ufs-utils-7.14.12.tar.gz
> Resolving github.com (github.com)... 140.82.121.4
> Connecting to github.com (github.com)|140.82.121.4|:443... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: 
> https://codeload.github.com/SanDisk-Open-Source/ufs-utils/tar.gz/refs/tags/v7.14.12 
> [following]
> --2025-08-07 11:07:32--  
> https://codeload.github.com/SanDisk-Open-Source/ufs-utils/tar.gz/refs/tags/v7.14.12
> Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
> Connecting to codeload.github.com 
> (codeload.github.com)|140.82.121.10|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [application/x-gzip]
> Saving to: 
> ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output’
> 
> /home/dario/projects/buildroot/output/b     [ <=>                       
>                                                          ]  77.76K  
> --.-KB/s    in 0.06s
> 
> 2025-08-07 11:07:32 (1.32 MB/s) - 
> ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.68J1WJ/output’ 
> saved [79623]
> 
> ERROR: while checking hashes from package/ufs-utils/ufs-utils.hash
> ERROR: ufs-utils-7.14.12.tar.gz has wrong sha256 hash:
> ERROR: expected: 
> 96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2
> ERROR: got     : 
> 96d15ce4b0990049d812d24afc2a62240c1a4aa534ea6aebb5aebd34dccb2dac
> ERROR: Incomplete download, or man-in-the-middle (MITM) attack
> wget -nd -t 3 --connect-timeout=10 -O 
> '/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output' 
> 'https://sources.buildroot.net/ufs-utils/ufs-utils-7.14.12.tar.gz'
> --2025-08-07 11:07:32--  
> https://sources.buildroot.net/ufs-utils/ufs-utils-7.14.12.tar.gz
> Resolving sources.buildroot.net (sources.buildroot.net)... 
> 2606:4700:20::681a:25, 2606:4700:20::ac43:4838, 2606:4700:20::681a:125, 
> ...
> Connecting to sources.buildroot.net 
> (sources.buildroot.net)|2606:4700:20::681a:25|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 79619 (78K) [application/x-gtar-compressed]
> Saving to: 
> ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output’
> 
> /home/dario/projects/buildroot/output/b 
> 100%[===================================================================================>] 
>  77.75K  --.-KB/s    in 0.02s
> 
> 2025-08-07 11:07:33 (4.96 MB/s) - 
> ‘/home/dario/projects/buildroot/output/build/.ufs-utils-7.14.12.tar.gz.HYpqKm/output’ 
> saved [79619/79619]
> 
> ufs-utils-7.14.12.tar.gz: OK (sha256: 
> 96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2)
> 
> Fixes:
> https://autobuild.buildroot.org/results/b69/b69472d2eaf27dfcc97c300b96868cab52068ce9
> https://autobuild.buildroot.org/results/429/429a28669d98c6f424f33a211eb0ebb48c6f4553
> https://autobuild.buildroot.org/results/01b/01b90bd7d78a34ae732191b750efc69f195c78ec
> https://autobuild.buildroot.org/results/a09/a097e48314be2f522238880e9ab4529cebeff47b
> 
> [1] https://github.com/SanDisk-Open-Source/ufs-utils/pull/70
> Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>

Could you raise a ticket to highlight this issue to in the
upstream please? we should make sure upstream maintainers are aware
of this situation.

Then could you add a reference of this ticket in the commit log?

We cannot really afford having several different copies of the same
archive name with different contents. We will probably have to remove
the "old" version from the Buildroot cache.

Could you send an updated version of this patch, please?

Best regards,

Julien.

To unsubscribe from this group and stop receiving emails from it, send an email to linux-amarula+unsubscribe@amarulasolutions.com.

Patch
diff mbox series 

diff --git a/package/ufs-utils/ufs-utils.hash b/package/ufs-utils/ufs-utils.hash
index 89053996ab3b..e32275950229 100644
--- a/package/ufs-utils/ufs-utils.hash
+++ b/package/ufs-utils/ufs-utils.hash
@@ -1,3 +1,3 @@ 
 # Locally computed
-sha256  96cd578722830bc7d8a418d528a3067c0b80ad437f66c3333ebc238fe52436a2  ufs-utils-7.14.12.tar.gz
+sha256  96d15ce4b0990049d812d24afc2a62240c1a4aa534ea6aebb5aebd34dccb2dac  ufs-utils-7.14.12.tar.gz
 sha256  231f7edcc7352d7734a96eef0b8030f77982678c516876fcb81e25b32d68564c  COPYING