1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

mmonit release artifacts change hash regularly

Issue #1054 new
Ryan Mulligan created an issue

I made a nix expression for building mmonit for my server:

{ stdenv, autoPatchelfHook, coreutils }:
stdenv.mkDerivation rec {
  pname = "mmonit";
  version = "3.7.12";

  src = builtins.fetchTarball {
    url = "https://mmonit.com/dist/mmonit-${version}-linux-x64.tar.gz";
    sha256 = "sha256:0bpn05zzzdg6plnza6q79bjswxwamjvzi0b51f5c77zsc5pnlvq0";
  };

  nativeBuildInputs = [
    autoPatchelfHook
  ];

  buildInputs = [
    coreutils
  ];

  dontConfigure = true;
  dontBuild = true;
  installPhase = ''
    runHook preInstall
    mkdir -p $out
    cp -r $src/{bin,conf,doc,docroot,lib,upgrade} $out
    cp -r $src/db $out/db-template
    ln -s /var/lib/mmonit/logs $out/logs
    ln -s /var/lib/mmonit/db $out/db
    runHook postInstall
  '';
}

However, when I try to build it on another machine later, it fails. This is because the tarballs released on the mmonit website get changed regularly. I used diffoscope to see the change:

$ diffoscope /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source  /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source
--- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source
+++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source
│   --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf
├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf
│ │   --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf/license.xml
│ ├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf/license.xml
│ │ │   --- /nix/store/3i8dir8scrz1l30fg8lj6i0zplrwl4qy-source/conf/license.xml
│ │ ├── +++ /nix/store/6zak8139m6x42vjfqhiysd402f6smzv0-source/conf/license.xml
│ │ │ @@ -1,6 +1,6 @@
│ │ │  <?xml version="1.0" encoding="utf-8"?>
│ │ │ +<License owner="M/Monit Trial License">RWHF4G37EI-JP4OL76I54-WCVZ7ME6LW-KNKTFPA7LX-45NLVXAEHE
│ │ │ +    TG64MK2FPH-LNWTQHR765-YXDN2RUUCO-4XMONVVEDT-KZ4HDMI3ZH
│ │ │ +    XLKCWK5O4J-HOAYAYOOVO-E5UQSIMFIV-S35TY7VZWX-XN3RBBNUIH
│ │ │ +    UVB55MNYLE-IPXIHYNCNK-YFXVZKSZB6-RUQQTJKYAW-A6YZ5R7TND
│ │ │ +    KRITS</License>
│ │ │ -<License owner="M/Monit Trial License">MLM2MC2QXC-K4B3DV665E-YYGZODO7RG-H7IV7BP6W6-YSIMKXSGHJ
│ │ │ -    OAMRLOZMUX-GE53JMF7FE-M3BHSOA5FI-FTO2REL3LH-RNOXD6NTDU
│ │ │ -    XQNONFAICB-J7SW6NEDGA-UUFHG6IG7Z-URHUWTKW7O-T3O7BVFAC7
│ │ │ -    HF4KNQGQM6-AGWDOVQF22-EEDPBIUPAX-YWTGMPKX3V-IKUQFWSRPQ
│ │ │ -    S7QJO</License>

So it seems that the trial license gets updated over time. It seems like this is a nice convenience feature for people installing mmonit for the first time, but it creates a software reproducibility and maybe minor security issue, in that I cannot trust that an artifact at a given URL will have a consistent hash over time.

One possible solution would be to publish the trial license separately, or maybe dynamically fetch a trial license if one does not exist?

Comments (2)

  2. Tildeslash repo owner

    Hello Ryan, yes, you’re right, the embedded trial license is updated regularly, so it changes the package checksum.

    We’ll modify the trial license in the future release. We have a framework for external trial license already, but we use it just for the MacOS package.

  3. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
new
Component
Monit
Version
5.32.0
Votes
0
Watchers
1