deluge 1.3.0 checksum error

Bayard Bell buffer.g.overflow at googlemail.com
Thu Sep 30 09:23:35 PDT 2010 

I've been trying to build deluge 1.3.0 but am getting failures for all three checksums. Here's what I see in the logs:

:msg:fetch --->  Attempting to fetch deluge-1.3.0.tar.bz2 from http://download.deluge-torrent.org/source/
:msg:fetch --->  Verifying checksum(s) for deluge
:debug:checksum checksum phase started at Thu Sep 30 15:48:32 BST 2010
:debug:checksum Executing org.macports.checksum (deluge)
:info:checksum --->  Checksumming deluge-1.3.0.tar.bz2
:error:checksum Checksum (md5) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 md5 d3cdb501983fcf793ee368b5a8e429c0
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 md5 5fca34e2e31753a8ba0ccb942f0e993e
:error:checksum Checksum (sha1) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 sha1 75c1030bbd32c9eebea53c021e19035ebe343c14
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 sha1 8acefff67bd82e38314b43887bd5f10da9a12052
:error:checksum Checksum (rmd160) mismatch for deluge-1.3.0.tar.bz2
:info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 rmd160 28d2162d67684f1969ed5a8882dea358bb022bd2
:info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 rmd160 dca83b23603a140d4abbb4de7672bf4259018167
:info:checksum The correct checksum line may be:
:info:checksum checksums           md5     5fca34e2e31753a8ba0ccb942f0e993e \
                    sha1    8acefff67bd82e38314b43887bd5f10da9a12052 \
                    rmd160  dca83b23603a140d4abbb4de7672bf4259018167
:error:checksum Target org.macports.checksum returned: Unable to verify file checksums
:debug:checksum Backtrace: Unable to verify file checksums
    while executing
"$procedure $targetname"

I've checked the release notes (http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.0), and it appears that either someone has completely hijacked the distribution infrastructure for deluge and replaced the checksum values or that macports has got it wrong. I'm not sure why macports would have this wrong, but I did notice the following further details:

1) these aren't the checksums for the earlier 1.3.0 release candidates
2) the changeset for 1.3.0 that provides these checksums (https://trac.macports.org/changeset/71478) is dated September 14, whereas the distribution I'm trying to download dates the bz2 source September 18, which is the same date as given on the release notes, suggesting that macports pushed 1.3.0 pre-release and thus ended up with the wrong checksums
3) trying to find copies of 1.3.0 through alternate distribution channels, I don't find anyone else's bz2 distro to compare, but I do notice that numerous sites announce the release on the 14th and provide various other types of distribution as of that date, noting that release notes are not yet available, suggesting that something changed between announcement and initial availability and the release for which notes are available, which may be as trivial a difference as the addition of release notes
4) unfortunately there's neither SSL-verifiable release notes (deluge-torrent.org is a virtual domain running on the OSU Open Source Lab, where the certificate is expired and doesn't support validation of the virtually hosted domains) nor signed checksums (I've posted to the deluge forums about this problem in attributing the checksums and verifying their integrity)

All the same, I tend to think that this is not a case of hijacking a distribution channel to propagate trojaned software. I'm going to go ahead and build this via a local Portfile override, but I'd appreciate another pair of eyes on this, just in case I'm wrong.

Cheers,
Bayard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20100930/bdd8c9f3/attachment.html>

More information about the macports-users mailing list