Difference between revisions of "Dealing with checksum mismatch"

From Openembedded.org
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Outdated}}
+
It happens occasionally that incorrect SRC_URI checksums are being committed or that upstream changes tarballs without changing the filename.  In both cases, OE will bail out and complain about a mismatch in checksums. This is a potentially serious issue and it is important to resolve the situation with care.
  
It happens that incorrect checksums are being committed or that upstream changes tarballs without changing the filename.  In both cases, OE will bail out and complain about a mismatch in checksums (unless OE_ALLOW_INSECURE_DOWNLOADS is enabled). Here are the steps a developer should take to resolve the issue safely.
+
Firstly, try a bitbake xxxx -c cleanall and try re-fetching the download to ensure this wasn't just a bad download. If it continues to fail, post on the mailing list for the layer concerned and ask whether others are seeing the issue. It can also be worth downloading the file externally from bitbake/OE to confirm its not a fetcher issue.
  
* Look through "''mtn --diffs --no-merges log conf/checksums.ini| less''" and find the person who committed the current md5sum.
+
If there is some mirror with a bad file on it, that file can be removed and a request needs to be made to the maintainer of the mirror server. If the original commit was made with an incorrect checksum, this can also generally easily be identified and corrected.
* Contact them and ask them to md5sum their copy again.  Compare results if they still have the '''original''' tar file against which the original checksum was generated.
+
  
Then we have three possible scenarios.
+
If upstream itself has changed the tarball, this is a much more problematic situation and we need to understand why this has happened, what the change is and then made a decision on how to proceed.
  
# the original committer does not have the original file anymore or is unsure about its integrity.  In that case, please write to openembedded-devel@lists.linuxtogo.org.  Don't do anything further.
+
Above all, the most important thing is '''not''' to just blindly change the checksum to the current matching value without understanding why the change has occurred - if you do you could then be using source code which has been tampered with as part of your build.
# the original committer generates the same md5sum as you, indicating an error in the original commit.  In this case we can safely commit the update.  Indicate in your commit message that yours and the other person's md5sum matched
+
# the numbers don't match. Then we need to consult upstream and ask if they changed the tarball. Sadly this is something that commonly happens.  After confirmation from upstream we can update checksums.ini.
+
  
 
[[Category:Policy]]
 
[[Category:Policy]]
 
[[Category:FAQ]]
 
[[Category:FAQ]]

Latest revision as of 12:05, 18 February 2013

It happens occasionally that incorrect SRC_URI checksums are being committed or that upstream changes tarballs without changing the filename. In both cases, OE will bail out and complain about a mismatch in checksums. This is a potentially serious issue and it is important to resolve the situation with care.

Firstly, try a bitbake xxxx -c cleanall and try re-fetching the download to ensure this wasn't just a bad download. If it continues to fail, post on the mailing list for the layer concerned and ask whether others are seeing the issue. It can also be worth downloading the file externally from bitbake/OE to confirm its not a fetcher issue.

If there is some mirror with a bad file on it, that file can be removed and a request needs to be made to the maintainer of the mirror server. If the original commit was made with an incorrect checksum, this can also generally easily be identified and corrected.

If upstream itself has changed the tarball, this is a much more problematic situation and we need to understand why this has happened, what the change is and then made a decision on how to proceed.

Above all, the most important thing is not to just blindly change the checksum to the current matching value without understanding why the change has occurred - if you do you could then be using source code which has been tampered with as part of your build.

Personal tools
Namespaces

Variants
Actions
Navigation
Categories
OE services
Toolbox