Opened 9 months ago
Closed 9 months ago
#69132 closed defect (fixed)
www/caddy: imdario-mergo-v0.3.12.tar.gz checksum mismatch
Reported by: | mrdomino (Jōshin) | Owned by: | mohd-akram (Mohamed Akram) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | ||
Port: | caddy |
Description
The checksums in caddy's Portfile do not match for that file, but the file size does match. Probably we should figure out why they changed and/or verify that the file's current contents are still trustworthy enough.
A draft pull request that shows the current checksums is here:
Change History (16)
comment:1 Changed 9 months ago by mrdomino (Jōshin)
comment:2 Changed 9 months ago by mrdomino (Jōshin)
I got the diff backwards, the current base directory on Github is darccio-mergo-29fb3d3/
, which breaks the build after accounting for the checksum because macports is trying and failing to build imdario-mergo-*
.
comment:3 Changed 9 months ago by mrdomino (Jōshin)
As mentioned in the PR: it looks like the user may have changed their name. codeload.github.com is redirecting imdario/mergo to darccio/mergo, giving the downloaded file the name darccio-mergo-v0.3.12.tar.gz
, and using darccio-mergo
for its generated base directory name. AFAICT this breaks anyone trying to import github.com/imdario/mergo
if they are using codeload.github.com.
comment:4 Changed 9 months ago by jmroot (Joshua Root)
Owner: | set to mohd-akram |
---|---|
Port: | caddy added |
Status: | new → assigned |
This is a problem commonly seen with the github portgroup when using the legacy tarball type. The solution there is to use the newer archive
tarballs. I'm not sure how you would do the equivalent with golang.
comment:5 Changed 9 months ago by mohd-akram (Mohamed Akram)
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:6 Changed 9 months ago by mrdomino (Jōshin)
Resolution: | fixed |
---|---|
Status: | closed → reopened |
This does not seem to fix the issue. imdario-mergo-v0.3.13.tar.gz is still downloaded from codeload.github.com/imdario/mergo/legacy.tar.gz on my machine, which still redirects to darccio/mergo, which has a different checksum from the one published in the Portfile.
Changing the dependency to darccio/mergo breaks the build, as demonstrated here:
comment:7 Changed 9 months ago by mohd-akram (Mohamed Akram)
Redirects shouldn’t be a problem I think. I imagine the problem was due to the redirect being implemented after the distfile was cached by MacPorts. Since I bumped the version of that dependency, we get new distfiles anyway. Does it not build on your system? Double check that you’re building 2.7.6.
comment:8 Changed 9 months ago by mrdomino (Jōshin)
It does not build on my system and I am building 2.7.6. The redirect results in the base folder in the new distfile being darccio-mergo
.
comment:9 Changed 9 months ago by mohd-akram (Mohamed Akram)
Could you please post the log file or the relevant bit on the checksum mismatch? It builds on the CI and my machine so this is strange.
comment:10 Changed 9 months ago by mrdomino (Jōshin)
Specifically, this is what I see when I build caddy from macports-ports master:
:info:checksum ---> Checksumming imdario-mergo-v0.3.13.tar.gz :debug:checksum Calculated (rmd160) is 65d54781b1014dafe97e40214ead7f6eedd83b1c :error:checksum Checksum (rmd160) mismatch for imdario-mergo-v0.3.13.tar.gz :info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz rmd160 2e6fc2ada1f9d67c92a0d23dd0535e53760d7f16 :info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz rmd160 65d54781b1014dafe97e40214ead7f6eedd83b1c :debug:checksum Calculated (sha256) is 5660b22f540687b245cf9e222ce59ef8bdae2c7843c2547c4824d0771d22990f :error:checksum Checksum (sha256) mismatch for imdario-mergo-v0.3.13.tar.gz :info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz sha256 781fa2e7eb42828228bf9c524c955603f25664bb4ae741a34603067084bd0abc :info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz sha256 5660b22f540687b245cf9e222ce59ef8bdae2c7843c2547c4824d0771d22990f :debug:checksum Calculated (size) is 22817 :error:checksum Checksum (size) mismatch for imdario-mergo-v0.3.13.tar.gz :info:checksum Portfile checksum: imdario-mergo-v0.3.13.tar.gz size 22811 :info:checksum Distfile checksum: imdario-mergo-v0.3.13.tar.gz size 22817
comment:11 Changed 9 months ago by mrdomino (Jōshin)
And this is the fetch stage:
:info:fetch ---> imdario-mergo-v0.3.13.tar.gz does not exist in /opt/local/var/macports/distfiles/go :notice:fetch ---> Attempting to fetch imdario-mergo-v0.3.13.tar.gz from https://codeload.github.com/imdario/mergo/legacy.tar.gz/v0.3.13?dummy=
comment:12 Changed 9 months ago by mohd-akram (Mohamed Akram)
It's a bit strange that it immediately tries fetching from GitHub for you. This is what I have:
---> imdario-mergo-v0.3.13.tar.gz does not exist in /opt/local/var/macports/distfiles/go ---> Attempting to fetch imdario-mergo-v0.3.13.tar.gz from https://distfiles.macports.org/go ... ---> Checksumming imdario-mergo-v0.3.13.tar.gz DEBUG: Calculated (rmd160) is 2e6fc2ada1f9d67c92a0d23dd0535e53760d7f16 DEBUG: Correct (rmd160) checksum for imdario-mergo-v0.3.13.tar.gz DEBUG: Calculated (sha256) is 781fa2e7eb42828228bf9c524c955603f25664bb4ae741a34603067084bd0abc DEBUG: Correct (sha256) checksum for imdario-mergo-v0.3.13.tar.gz DEBUG: Calculated (size) is 22811 DEBUG: Correct (size) checksum for imdario-mergo-v0.3.13.tar.gz
comment:13 Changed 9 months ago by mrdomino (Jōshin)
Strange, I wonder why.
I guess maybe that distfile is also already cached from someone else depending on it?
comment:14 Changed 9 months ago by mohd-akram (Mohamed Akram)
I feel like there was a setting that disabled fetching from the distills.macports.org but I can't find it. Yes, it was indeed already cached that's why you had different checksums.
comment:15 Changed 9 months ago by jmroot (Joshua Root)
Closer sites (as determined by ping time) are tried first. As I mentioned above, this problem is due to github's legacy tarball interface not producing tarballs that are stable over time. That creates a stealth update situation (see PortfileRecipes#stealth-updates).
comment:16 Changed 9 months ago by Jōshin <git@…>
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Incredible,
darccio
andimdario
have the same number of characters.The difference owes to the base folder being either
darccio-mergo-29fb3d3
orimdario-mergo-29fb3d3
. distfiles.macports.org has theformerlatter (hence the workflow run failure for that PR on Github) and codeload.github.com has thelatterformer. There are no diffs reported bydiff -ru
between those two directories,so this is benign.What's the resolution here? Update distfiles to match Github I guess?