Source file audit - 2014-01-05

Toshio Kuratomi a.badger at gmail.com
Tue Jan 7 18:31:00 UTC 2014


On Tue, Jan 07, 2014 at 09:25:36AM +0100, Simone Caronni wrote:
> On 6 January 2014 20:53, Kevin Fenzi <kevin at scrye.com> wrote:
> 
>     slaanesh:BADSOURCE:dkms-2.2.0.3.tar.gz:dkms
> 
> 
> Downloading the file again gives a different md5sum, but the release tarball is
> the same, so probably the archive has been regenerated.
> 
> What's the procedure to update the source files in the lookaside cache when the
> file name has not changed? fedpkg new-sources does not allow me to do it:
> 
This should work.

> $ fedpkg new-sources dkms-2.2.0.3.tar.gz
> Uploading: 11a8aaade2ebec2803653837c7593030  dkms-2.2.0.3.tar.gz
> File already uploaded: dkms-2.2.0.3.tar.gz
> Uploaded and added to .gitignore:
> Source upload succeeded. Don't forget to commit the sources file
> 
Looking at the lookaside cache directly, it looks like that file has been
uploaded previously (in lookaside, there's currently two tarballs for
dkms-2.2.0.3.tar.gz with two separate md5sums).  Has the upstream perhaps
released a tarball, released a new tarball, and then reverted to the
original one?

One option is to change the sources file to reflect the new md5sum.

You may also want to check that the new tarball and the tarball in the
lookaside cache *really* are the same.  A hash collision is unlikely but if
that were the case we'd want to be extra certain about what's going on
before blindly accepting the changed tarball.

You can retrieve the tarballs in lookaside directly from here:
http://pkgs.fedoraproject.org/lookaside/pkgs/dkms/dkms-2.2.0.3.tar.gz/

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140107/ea13a0fb/attachment.sig>


More information about the devel mailing list