[oe] [PATCH] wrong checksum for libsdl-mixer-1.2.9

Frans Meulenbroeks fransmeulenbroeks at gmail.com
Sun Nov 22 09:51:52 UTC 2009 

2009/11/21 Martin Jansa <martin.jansa at gmail.com>:
> On Sat, Nov 21, 2009 at 07:07:45PM +0100, Frans Meulenbroeks wrote:
>> 2009/11/21 Bernhard Kaindl <bernhard.kaindl at gmx.net>:
>> > Hi,
>> >   indeed, the SDL_mixer-1.2.9.tar.gz has changed on
>> > http://www.libsdl.org/projects/SDL_net/release,
>> > so conf/checksums.ini is outdated, as it stands, and has to be updated:
>> >
>> > Signed-off-by: Bernhard Kaindl <bernhard.kaindl at gmx.net>
>> >
>> >  1 file changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/conf/checksums.ini b/conf/checksums.ini
>> > index 784a092..e1aac1f 100644
>> > --- a/conf/checksums.ini
>> > +++ b/conf/checksums.ini
>> > @@ -1099,8 +1099,8 @@ md5=0b5b91015d0f3bd9597e094ba67c4d65
>> >  sha256=a8222a274778ff16d0e3ee49a30db27a48a4d357169a915fc599a764e405e0b6
>> >
>> >  [http://www.libsdl.org/projects/SDL_mixer/release/SDL_mixer-1.2.9.tar.gz]
>> > -md5=a9eb8750e920829ff41dbe7555850156
>> > -sha256=557910a4a3aeed6d10238e26b5a39b19247115a1b352580082bb15dc02ae4b8d
>> > +md5=09eb4585f46d3527fe7fce8af8f9e591
>> > +sha256=7216a89d92327d2f0fe03e78f3c758a52be68c29daf8e971c226f4a3191e9ec0
>> >
>> >  [http://www.libsdl.org/projects/SDL_net/release/SDL_net-1.2.5.tar.gz]
>> >  md5=e45b1048d2747480dcc65ece4130a920
>> >
>> > Philip Balister schrieb:
>> >>
>> >> On 11/21/2009 01:15 AM, Robert P. J. Day wrote:
>> >>>
>> >>> On Sat, 21 Nov 2009, GNUtoo wrote:
>> >>>>
>> >>>> `/home/embedded/sources/SDL_mixer-1.2.9.tar.gz' saved [2690766/2690766]
>> >>>>
>> >>>> NOTE: The MD5Sums did not match. Wanted:
>> >>>> 'a9eb8750e920829ff41dbe7555850156' and Got:
>> >>>> '09eb4585f46d3527fe7fce8af8f9e591'
>> >>>
>> >>>   that second checksum is, in fact, the correct one for that tarball.
>> >>> and the sha256sum in conf/checksums.ini also doesn't match the one for
>> >>> that tarball.  if that used to be correct, does that mean someone has
>> >>> replaced a tarball with a different but identically-named one?
>>
>> Before committing this patch I would suggest comparing the new and the
>> old version to find out what is actually causing this and what has
>> been changed.
>> If we just blindly change checksums we might as well abandon them.
>> Also note that a change of the checksum means that everyone who has
>> the file in his/her download dir will get a checksum error.
>>
>> For now a nack from me.
>>
>> As this already happened before recently (perl twig) I suggest we
>> adapt a policy for this or maybe some automated removal (e.g. if you
>> have a file in your downloads dir with a checksum in blacklist.ini
>> that version is not used but removed or parked aside or something like
>> that).
>>
>> Frans
>
> As Bernhard probably hasn't old archive I tried it here
>
> /home/downloads/OE/SDL_mixer-1.2.9 $ ls -lR > lslR.txt
> /home/downloads/OE/SDL_mixer-1.2.9 $ cd ../SDL_mixer-1.2.9.new/
> /home/downloads/OE/SDL_mixer-1.2.9.new $ ls -lR > lslR.txt
> /home/downloads/OE/SDL_mixer-1.2.9.new $ cd ..
>
> /home/downloads/OE $ diff -rq SDL_mixer-1.2.9 SDL_mixer-1.2.9.new/
> Files SDL_mixer-1.2.9/lslR.txt and SDL_mixer-1.2.9.new/lslR.txt differ
>
> /home/downloads/OE $ diff -r SDL_mixer-1.2.9 SDL_mixer-1.2.9.new/
> All file rights are the same only dates changed from Oct 13 to Nov 7
>
> So it looks safe.
>
> martin at jama /home/downloads/OE $ md5sum SDL_mixer-1.2.9.tar.gz;
> sha256sum SDL_mixer-1.2.9.tar.gz
> a9eb8750e920829ff41dbe7555850156  SDL_mixer-1.2.9.tar.gz
> 557910a4a3aeed6d10238e26b5a39b19247115a1b352580082bb15dc02ae4b8d
> SDL_mixer-1.2.9.tar.gz
> martin at jama /home/downloads/OE $ md5sum SDL_mixer-1.2.9-new.tar.gz;
> sha256sum SDL_mixer-1.2.9-new.tar.gz
> 09eb4585f46d3527fe7fce8af8f9e591  SDL_mixer-1.2.9-new.tar.gz
> 7216a89d92327d2f0fe03e78f3c758a52be68c29daf8e971c226f4a3191e9ec0
> SDL_mixer-1.2.9-new.tar.gz
>
> Acked-by: Martin Jansa <Martin.Jansa at gmail.com>
>
> --
> uin:136542059                jid:Martin.Jansa at gmail.com
> Jansa Martin                 sip:jamasip at voip.wengo.fr
> JaMa
>

I'm flabbergasted.

The link Philip provided suggests this is a bug fix, but Martin does
not find any differences ????
Also this does not fix the problem that people will have wrong files
in their downloads dir.

Frans (who thingks the package upstream name should have been changed
after making the patch).

More information about the Openembedded-devel mailing list