hash changed for external rpm

Connie Sieh csieh at fnal.gov
Wed Mar 24 15:40:15 UTC 2010 

On Tue, 23 Mar 2010, Mike McLean wrote:

> On 03/23/2010 06:33 PM, Connie Sieh wrote:
>> So I looked in the database rpminfo table for termcap and did see the
>> dbb204 hash.  I changed it to the 586d65 hash just to see if it would now
>> match. I reran the build.  Now it gets the "rpm" hash right but the
>> database is wrong.  How do I resync the repodata from my external
>> repository?  I have done way too many regen-repo in an attempt to fix
>> this.
>
> Generally speaking, you should not attempt to solve koji issues by
> making direct db changes.

I was not trying to fix the issue but understand it better.  The rpm at 
the repo has the hash that was in the database but when koji gets it and 
checks it is different.  I was trying to verify where koji was getting the 
"wrong" hash from.  I still do not know where the wrong hash is coming 
from because it is correct in the actual external repo.

>
> The cause of this error is exactly what it says: "hash changed for
> external rpm." I.e. for the external repo in question the rpm in
> question changed changed contents.
>

How does koji download the rpm.  I have assumed that yum does the heavy 
lifting to get the rpm from the external repo.  Could there be a 
incompatability between how the rpm hash was added to the external repo as 
this is a RHEL 5 repo and thus used the RHEL 5 rpm to add the hash vs the 
code that is in Fedora 12?

> Koji insists on a few modest requirements for external repos. One of
> them is that for a given repo, rpms of a given n-v-r do not change
> contents (though resigning should be ok I think). This basic sanity
> check is necessary to properly track buildroot contents.
>
> Frankly, such behavior from a repo is suspicious. If it happened to me,
> I'd be concerned about a possible security issue with the external repo.
> Consider that if someone malicious were to hack into a repo and replace
> an rpm with a trojaned copy, this is /exactly/ the error you would see
> (though of course, it is more likely that someone simply rebuilt the rpm
> and didn't bump the release, which is very bad practice).

I verifyed that the external repo rpm has NOT changed.

>
> By changing the database as you have, you have altered history data
> about earlier buildroots that contained the rpm with the old hash. Now
> the system will report that they contained the rpm with the new hash,
> which is incorrect.

Again this was only so I could better understand the issue.

>
> If you feel that there was a legitimate reason for the rpm in the
> external repo to change then the workaround is, as Mike B wrote, to
> create a new external repo entry (with a new name) pointing to the same
> url and replace the old external with that in your tag hierarchy. The
> reason this works is that Koji does allow different external repos to
> disagree about the contents of a particular nvr.
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>

-Connie Sieh

More information about the buildsys mailing list