moab 4.9.2 tar.gz checksum has changed
Issue #55
resolved
Hi
I am one of the homebrew-science maintainers. We realised that the checksum of the 4.9.2 tar.gz has changed. As we ship moab to users, this is considered as a critical problem on our side.
Here is the actual error:
#!
Verifying moab-4.9.2.tar.gz checksum
Error: SHA256 mismatch
Expected: 5d79e299dd9bf76d7cade434cde478bb6dc8290e5b574b25cc30ee96f35a203d
Actual: 26611b8cc24f6b7df52eb4ecbd31523d61523da0524b5a2d066a7656e2e82ac5
The initial checksum was defined on Sep. 11, 2016, when bumping to release 4.9.2.
There are two things that could have happened here: - Someone repackaged the release, with code changes, which is very bad practice. In that case you should create a new version tag. Because now we have a version tag (4.9.2) which corresponds basically to two different tar.gz, which could have different behaviours. - You got hacked. I hope this is not the case, but then you need to double-check the security measures on your server (http://ftp.mcs.anl.gov/).
We will update the sha256 only once the situation has cleared up.
For reference, here is the issue on our bug tracker: https://github.com/Homebrew/homebrew-science/issues/4933
Comments (5)
-
-
You are right, we fixed a few things and in the previous release causing the unpleasant checksum behavior you see. This shouldn't have happened. The intent is to choose the later version of 4.9.2. At this point, we can either 1. Make a new release 4.9.3 2. Wait for 5.0.0
-
reporter
Thanks for the explanation.
It is not a question of behaviour but a basic security measure that all package managers use. You will find this for debian (apt), yum, ... It makes sure nobody fiddled with the source files that are downloaded to the users computers.
Sometimes, packaging errors happen. In these cases, it is always better to push a new release. A minor version bump can be enough. It could have been 4.9.2.1 or 4.9.2-1, or 4.9.3. Modifying the tar.gz later is very bad.
We pushed a revision of the package, so on our side everything is fine, we do not necessarily need a version bump. You may still do it, in case other people / other package managers would double-check the checksum too.
The purpose of this issue was just to make you aware of the problem. Hacking could also have been a possibility, so we report those kind of things as fast as possible to the upstream projects.
Thanks for all the explanations. You may close this bug :)
-
- changed status to resolved
Thanks @iMichka for supporting MOAB homebrew and understanding the issue.
-
@iMichka Yes, I perfectly understand the concerns and we apologize about the oversight. We are transitioning to a system where we adhere to semantic versioning more strongly. So a change such as this would have yielded a sub-minor version bump as you said. Thanks again.
- Log in to comment
Michka, we apologize for the confusion. The original tarball that we created had some machine specific configuration files as part of the tarball. This was caused due to a stale directory where the tarball was generated. However after some user complaints, we have fixed that since. We have a pretty wide range of tests in the library but none to capture tarball packaging or integrity errors.
Anyway, the new tarball should have exactly the same behavior as before, except for the fact that some files that should not have been there in the first place have been removed (built from a clean directory).
@rajeeja maintains our homebrew support and he should be able to provide more details regarding updation of the hash if needed.