deluge 1.3.0 checksum error

David Evans devans at macports.org
Thu Sep 30 10:14:13 PDT 2010 

 On 9/30/10 9:23 AM, Bayard Bell wrote:
> I've been trying to build deluge 1.3.0 but am getting failures for all
> three checksums. Here's what I see in the logs:
>
> :msg:fetch --->  Attempting to fetch deluge-1.3.0.tar.bz2
> from http://download.deluge-torrent.org/source/
> :msg:fetch --->  Verifying checksum(s) for deluge
> :debug:checksum checksum phase started at Thu Sep 30 15:48:32 BST 2010
> :debug:checksum Executing org.macports.checksum (deluge)
> :info:checksum --->  Checksumming deluge-1.3.0.tar.bz2
> :error:checksum Checksum (md5) mismatch for deluge-1.3.0.tar.bz2
> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 md5
> d3cdb501983fcf793ee368b5a8e429c0
> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 md5
> 5fca34e2e31753a8ba0ccb942f0e993e
> :error:checksum Checksum (sha1) mismatch for deluge-1.3.0.tar.bz2
> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 sha1
> 75c1030bbd32c9eebea53c021e19035ebe343c14
> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 sha1
> 8acefff67bd82e38314b43887bd5f10da9a12052
> :error:checksum Checksum (rmd160) mismatch for deluge-1.3.0.tar.bz2
> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 rmd160
> 28d2162d67684f1969ed5a8882dea358bb022bd2
> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 rmd160
> dca83b23603a140d4abbb4de7672bf4259018167
> :info:checksum The correct checksum line may be:
> :info:checksum checksums           md5    
> 5fca34e2e31753a8ba0ccb942f0e993e \
>                     sha1    8acefff67bd82e38314b43887bd5f10da9a12052 \
>                     rmd160  dca83b23603a140d4abbb4de7672bf4259018167
> :error:checksum Target org.macports.checksum returned: Unable to
> verify file checksums
> :debug:checksum Backtrace: Unable to verify file checksums
>     while executing
> "$procedure $targetname"
>
> I've checked the release notes
> (http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.0), and it
> appears that either someone has completely hijacked the distribution
> infrastructure for deluge and replaced the checksum values or that
> macports has got it wrong. I'm not sure why macports would have this
> wrong, but I did notice the following further details:
>
> 1) these aren't the checksums for the earlier 1.3.0 release candidates
> 2) the changeset for 1.3.0 that provides these checksums
> (https://trac.macports.org/changeset/71478) is dated September 14,
> whereas the distribution I'm trying to download dates the bz2 source
> September 18, which is the same date as given on the release notes,
> suggesting that macports pushed 1.3.0 pre-release and thus ended up
> with the wrong checksums
> 3) trying to find copies of 1.3.0 through alternate distribution
> channels, I don't find anyone else's bz2 distro to compare, but I do
> notice that numerous sites announce the release on the 14th and
> provide various other types of distribution as of that date, noting
> that release notes are not yet available, suggesting that something
> changed between announcement and initial availability and the release
> for which notes are available, which may be as trivial a difference as
> the addition of release notes
> 4) unfortunately there's neither SSL-verifiable release notes
> (deluge-torrent.org <http://deluge-torrent.org/> is a virtual domain
> running on the OSU Open Source Lab, where the certificate is expired
> and doesn't support validation of the virtually hosted domains) nor
> signed checksums (I've posted to the deluge forums about this problem
> in attributing the checksums and verifying their integrity)
>
> All the same, I tend to think that this is not a case of hijacking a
> distribution channel to propagate trojaned software. I'm going to go
> ahead and build this via a local Portfile override, but I'd appreciate
> another pair of eyes on this, just in case I'm wrong.
>
> Cheers,
> Bayard
>
>
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
It appears that the deluge-torrent.org prematurely published a copy of
1.3.0 on their site and later retracted
it, substituting a different file with the same version number. 
Unfortunately, the deluge port was
updated to 1.3.0 while the old file still existed. 

I agree that the new version is probably legitimate but there is
difficulty in verifying the checksums as
you have stated.

In addition, the earlier version of the file is cached on the macports
own mirrors so the port will fetch
a different version of the file depending on which site it thinks is
closer.  In my case, I always get
it from distfiles.macports.org, which is geographically closer to me
than the OSU site. So the checksums
pass.

So a question for the more knowledgable is how to purge the old file
from the macports mirrors
and/or under which circumstances it will be automatically updated.

Dave



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20100930/38acd583/attachment.html>

More information about the macports-users mailing list