Project

General

Profile

Bug #3132

libre: asciidoc: The 8.6.10 source package changed upstream

GNUtoo - 6 days ago - . Updated 6 days ago.

Status:
unconfirmed
Priority:
bug
Assignee:
-
% Done:

0%


Description

While building asciidoc I have:

 |  ==> Validating source files with sha256sums...
 |      asciidoc-8.6.10.tar.gz ... FAILED
 |  ==> ERROR: One or more files did not pass the validity check!
 |  ==> ERROR: Could not download sources.
+ get_output x86_64 libre/asciidoc /home/parabola/packages/libre/asciidoc

The PKGBUILD has the following:

sha256sums=('9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983')

And instead what I have downloaded has:

$ sha256sum asciidoc-8.6.10.tar.gz 
22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea  asciidoc-8.6.10.tar.gz

And here both tarballs are different, and the sha256sum that is in the PKGBUILD does correspond to the archive checksum at the time.

This can be verified by downloading the asciidoc package source at:

The signature matches:

$ gpg --verify asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig 
gpg: assuming signed data in 'asciidoc-8.6.10-2.parabola1-any.src.tar.gz'
gpg: Signature made lun. 20 juil. 2020 07:57:07 CEST
gpg:                using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <bill-auger@peers.community>" [unknown]
gpg:                 aka "bill-auger <mr.j.spam.me@gmail.com>" [unknown]
gpg:                 aka "bill-auger <bill-auger@programmer.net>" [unknown]
gpg:                 aka "[jpeg image of size 6017]" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9  7989 25DB 7D9B 5A8D 4B40
     Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7  2853 9087 1091 3E8C 7778

And the checksum matches too:

$ tar tf asciidoc-8.6.10-2.parabola1-any.src.tar.gz 
asciidoc/
asciidoc/PKGBUILD
asciidoc/.SRCINFO
asciidoc/asciidoc-8.6.10.tar.gz
$ tar xf asciidoc-8.6.10-2.parabola1-any.src.tar.gz
asciidoc-8.6.10.tar.gz  PKGBUILD                .SRCINFO                
$ sha256sum asciidoc/asciidoc-8.6.10.tar.gz 
9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983  asciidoc/asciidoc-8.6.10.tar.gz

So the source was clearly modified upstream between when the package was made and now.

So let's look at the differences. For reference we have the following files:

$ sha256sum 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz 
9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983  9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz
22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea  asciidoc-8.6.10.tar.gz

And I'll attach the output of:

$ diffoscope 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz > asciidoc-8.6.10.tar.gz-diff.txt


Files

History

#2

Updated by GNUtoo 6 days ago

Here the fix is probably to update it to the same version than Arch Linux.

If we fix that, we can rebuild the packages whose signatures don't match anymore (due to an expired key) which includes mkinitcpio that fixes a bug that prevents boot.

Also available in: Atom PDF