deluge 1.3.0 checksum error

Jeremy Huddleston jeremyhu at macports.org
Thu Sep 30 10:43:31 PDT 2010 

Will the mirror script notice the changed checksums in the Portfile and attempt to grab a match?
  -- If not, we should probably "fix" that.

Will adding it to https://svn.macosforge.org/repository/macports/distfiles/deluge cause the mirrors to find this one instead?


On Sep 30, 2010, at 10:14, David Evans wrote:

> On 9/30/10 9:23 AM, Bayard Bell wrote:
>> I've been trying to build deluge 1.3.0 but am getting failures for all
>> three checksums. Here's what I see in the logs:
>> 
>> :msg:fetch --->  Attempting to fetch deluge-1.3.0.tar.bz2
>> from http://download.deluge-torrent.org/source/
>> :msg:fetch --->  Verifying checksum(s) for deluge
>> :debug:checksum checksum phase started at Thu Sep 30 15:48:32 BST 2010
>> :debug:checksum Executing org.macports.checksum (deluge)
>> :info:checksum --->  Checksumming deluge-1.3.0.tar.bz2
>> :error:checksum Checksum (md5) mismatch for deluge-1.3.0.tar.bz2
>> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 md5
>> d3cdb501983fcf793ee368b5a8e429c0
>> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 md5
>> 5fca34e2e31753a8ba0ccb942f0e993e
>> :error:checksum Checksum (sha1) mismatch for deluge-1.3.0.tar.bz2
>> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 sha1
>> 75c1030bbd32c9eebea53c021e19035ebe343c14
>> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 sha1
>> 8acefff67bd82e38314b43887bd5f10da9a12052
>> :error:checksum Checksum (rmd160) mismatch for deluge-1.3.0.tar.bz2
>> :info:checksum Portfile checksum: deluge-1.3.0.tar.bz2 rmd160
>> 28d2162d67684f1969ed5a8882dea358bb022bd2
>> :info:checksum Distfile checksum: deluge-1.3.0.tar.bz2 rmd160
>> dca83b23603a140d4abbb4de7672bf4259018167
>> :info:checksum The correct checksum line may be:
>> :info:checksum checksums           md5    
>> 5fca34e2e31753a8ba0ccb942f0e993e \
>>                    sha1    8acefff67bd82e38314b43887bd5f10da9a12052 \
>>                    rmd160  dca83b23603a140d4abbb4de7672bf4259018167
>> :error:checksum Target org.macports.checksum returned: Unable to
>> verify file checksums
>> :debug:checksum Backtrace: Unable to verify file checksums
>>    while executing
>> "$procedure $targetname"
>> 
>> I've checked the release notes
>> (http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.0), and it
>> appears that either someone has completely hijacked the distribution
>> infrastructure for deluge and replaced the checksum values or that
>> macports has got it wrong. I'm not sure why macports would have this
>> wrong, but I did notice the following further details:
>> 
>> 1) these aren't the checksums for the earlier 1.3.0 release candidates
>> 2) the changeset for 1.3.0 that provides these checksums
>> (https://trac.macports.org/changeset/71478) is dated September 14,
>> whereas the distribution I'm trying to download dates the bz2 source
>> September 18, which is the same date as given on the release notes,
>> suggesting that macports pushed 1.3.0 pre-release and thus ended up
>> with the wrong checksums
>> 3) trying to find copies of 1.3.0 through alternate distribution
>> channels, I don't find anyone else's bz2 distro to compare, but I do
>> notice that numerous sites announce the release on the 14th and
>> provide various other types of distribution as of that date, noting
>> that release notes are not yet available, suggesting that something
>> changed between announcement and initial availability and the release
>> for which notes are available, which may be as trivial a difference as
>> the addition of release notes
>> 4) unfortunately there's neither SSL-verifiable release notes
>> (deluge-torrent.org <http://deluge-torrent.org/> is a virtual domain
>> running on the OSU Open Source Lab, where the certificate is expired
>> and doesn't support validation of the virtually hosted domains) nor
>> signed checksums (I've posted to the deluge forums about this problem
>> in attributing the checksums and verifying their integrity)
>> 
>> All the same, I tend to think that this is not a case of hijacking a
>> distribution channel to propagate trojaned software. I'm going to go
>> ahead and build this via a local Portfile override, but I'd appreciate
>> another pair of eyes on this, just in case I'm wrong.
>> 
>> Cheers,
>> Bayard
>> 
>> 
>> _______________________________________________
>> macports-users mailing list
>> macports-users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users
> It appears that the deluge-torrent.org prematurely published a copy of
> 1.3.0 on their site and later retracted
> it, substituting a different file with the same version number. 
> Unfortunately, the deluge port was
> updated to 1.3.0 while the old file still existed. 
> 
> I agree that the new version is probably legitimate but there is
> difficulty in verifying the checksums as
> you have stated.
> 
> In addition, the earlier version of the file is cached on the macports
> own mirrors so the port will fetch
> a different version of the file depending on which site it thinks is
> closer.  In my case, I always get
> it from distfiles.macports.org, which is geographically closer to me
> than the OSU site. So the checksums
> pass.
> 
> So a question for the more knowledgable is how to purge the old file
> from the macports mirrors
> and/or under which circumstances it will be automatically updated.
> 
> Dave
> 
> 
> 
> _______________________________________________
> macports-users mailing list
> macports-users at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-users

More information about the macports-users mailing list