Bug #3132
libre: asciidoc: The 8.6.10 source package changed upstream
0%
Description
While building asciidoc I have:
| ==> Validating source files with sha256sums... | asciidoc-8.6.10.tar.gz ... FAILED | ==> ERROR: One or more files did not pass the validity check! | ==> ERROR: Could not download sources. + get_output x86_64 libre/asciidoc /home/parabola/packages/libre/asciidoc
The PKGBUILD has the following:
sha256sums=('9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983')
And instead what I have downloaded has:
$ sha256sum asciidoc-8.6.10.tar.gz 22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea asciidoc-8.6.10.tar.gz
And here both tarballs are different, and the sha256sum that is in the PKGBUILD does correspond to the archive checksum at the time.
This can be verified by downloading the asciidoc package source at:- https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz
- https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig
The signature matches:
$ gpg --verify asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig
gpg: assuming signed data in 'asciidoc-8.6.10-2.parabola1-any.src.tar.gz'
gpg: Signature made lun. 20 juil. 2020 07:57:07 CEST
gpg: using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <bill-auger@peers.community>" [unknown]
gpg: aka "bill-auger <mr.j.spam.me@gmail.com>" [unknown]
gpg: aka "bill-auger <bill-auger@programmer.net>" [unknown]
gpg: aka "[jpeg image of size 6017]" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9 7989 25DB 7D9B 5A8D 4B40
Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7 2853 9087 1091 3E8C 7778
And the checksum matches too:
$ tar tf asciidoc-8.6.10-2.parabola1-any.src.tar.gz asciidoc/ asciidoc/PKGBUILD asciidoc/.SRCINFO asciidoc/asciidoc-8.6.10.tar.gz $ tar xf asciidoc-8.6.10-2.parabola1-any.src.tar.gz asciidoc-8.6.10.tar.gz PKGBUILD .SRCINFO $ sha256sum asciidoc/asciidoc-8.6.10.tar.gz 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983 asciidoc/asciidoc-8.6.10.tar.gz
So the source was clearly modified upstream between when the package was made and now.
So let's look at the differences. For reference we have the following files:
$ sha256sum 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz 22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea asciidoc-8.6.10.tar.gz
And I'll attach the output of:
$ diffoscope 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz > asciidoc-8.6.10.tar.gz-diff.txt
Files
History
Updated by GNUtoo over 2 years ago
Updated by GNUtoo over 2 years ago
Here the fix is probably to update it to the same version than Arch Linux.
If we fix that, we can rebuild the packages whose signatures don't match anymore (due to an expired key) which includes mkinitcpio that fixes a bug that prevents boot.
Updated by bill-auger over 2 years ago
the current 'asciidoc' package (v8.6.10-2.parabola1) was the only time i have touched this package - it was a simple rebuild - i did not need to change the upstream checksum
https://git.parabola.nu/abslibre.git/commit/?id=5c2e17da372fb0045c5ba4b8b08945457fdac820
Updated by bill-auger 11 months ago
- Status changed from unconfirmed to not-a-bug
i removed asciidoc from the blacklist
the blacklist reason (optdepends on blacklisted 'fop') no longer applies
a liberated 'fop' was added to [libre] some time later
probably 'asciidoc' could have been removed from [libre] then;
though the liberation of 'fop' and the related 'java-batik' were not well documented