Checksum mismatch on source upgrade to libgit2 @1.5.1_0

[ned-deily (Ned Deily)]

:notice:checksum --->  Verifying checksums for libgit2
:debug:checksum Executing org.macports.checksum (libgit2)
:info:checksum --->  Checksumming libgit2-1.5.1.tar.gz
:debug:checksum Calculated (rmd160) is 7e6614e14e18e6bf5892515b5015c9dadf83c52c
:error:checksum Checksum (rmd160) mismatch for libgit2-1.5.1.tar.gz
:info:checksum Portfile checksum: libgit2-1.5.1.tar.gz rmd160 0a347520ea2fe8bf8480ee2d80f2cd8142b54c72
:info:checksum Distfile checksum: libgit2-1.5.1.tar.gz rmd160 7e6614e14e18e6bf5892515b5015c9dadf83c52c
:debug:checksum Calculated (sha256) is a5cf175e40c36e8f730c49a11b70c2a3251e9ed417dac3875ac3fef40eb7c712
:error:checksum Checksum (sha256) mismatch for libgit2-1.5.1.tar.gz
:info:checksum Portfile checksum: libgit2-1.5.1.tar.gz sha256 7074f1e2697992b82402501182db254fe62d64877b12f6e4c64656516f4cde88
:info:checksum Distfile checksum: libgit2-1.5.1.tar.gz sha256 a5cf175e40c36e8f730c49a11b70c2a3251e9ed417dac3875ac3fef40eb7c712
:debug:checksum Calculated (size) is 5891907
:error:checksum Checksum (size) mismatch for libgit2-1.5.1.tar.gz
:info:checksum Portfile checksum: libgit2-1.5.1.tar.gz size 5895483
:info:checksum Distfile checksum: libgit2-1.5.1.tar.gz size 5891907
:info:checksum The correct checksum line may be:
:info:checksum checksums           rmd160  7e6614e14e18e6bf5892515b5015c9dadf83c52c \
:info:checksum                     sha256  a5cf175e40c36e8f730c49a11b70c2a3251e9ed417dac3875ac3fef40eb7c712 \
:info:checksum                     size    5891907
:error:checksum Failed to checksum libgit2: Unable to verify file checksums
:debug:checksum Error code: NONE

[ryandesign (Ryan Carsten Schmidt)]

Unable to reproduce:

% sudo port checksum libgit2 
Password:
--->  Fetching distfiles for libgit2
--->  Attempting to fetch libgit2-1.5.1.tar.gz from https://distfiles.macports.org/libgit2
--->  Verifying checksums for libgit2
% sudo port clean --all libgit2    
--->  Cleaning libgit2
% sudo port fetch --no-mirrors libgit2       
--->  Fetching distfiles for libgit2
--->  Attempting to fetch libgit2-1.5.1.tar.gz from https://github.com/libgit2/libgit2/archive/v1.5.1
% sudo port checksum libgit2 
--->  Verifying checksums for libgit2
% 

What server did you download from? If you don't remember and your log doesn't say, sudo port clean --all libgit2 and try again. See wiki:FAQ#checksums.

[ned-deily (Ned Deily)]

Sorry, I didn't try using the clean --all option to remove the distfiles. A new attempt does download a different file that does pass the checksum test: stealth update, I guess.

[jmroot (Joshua Root)]

Doesn't seem like a typical stealth update, since the file downloaded directly from github and the one mirrored on distfiles.macports.org have identical checksums. There have been some other reports of checksum mismatches for github-hosted files lately, which I also was not able to reproduce. I wonder if github is intermittently serving differing files…

[ned-deily (Ned Deily)]

I didn't save the ls output but, IIRC, the libgit2-1.5.1.tar.gz downloaded yesterday was a slightly different size from the one downloaded successfully today. I guess we'll never know. FWIW I haven't experienced a similar issue with any other recent updates but also not sure how many were github downloads. Thanks for investigating.

[ryandesign (Ryan Carsten Schmidt)]

Replying to ned-deily:

I didn't save the ls output but, IIRC, the libgit2-1.5.1.tar.gz downloaded yesterday was a slightly different size from the one downloaded successfully today. I guess we'll never know.

Sure, we know that was the case. Your ticket says the size of file the port was expecting was 5895483 bytes but the file you downloaded the first time was 5891907 bytes. If you cleaned and retried and it worked, then the file you downloaded that time must have had the correct size and contents to match the checksums.

We don't know what the contents of your incorrectly-sized file was. But in another ticket for another port where we saw the same kind of problem, I found that the contents were identical.

[ned-deily (Ned Deily)]

Thanks for the update. I'll keep an eye out for another occurrence. Feel free to close this ticket; if I had remembered that a vanilla clean doesn't remove downloads, I wouldn't have even opened it in the first place.

[ryandesign (Ryan Carsten Schmidt)]

This appears to have been ​a problem on GitHub that was resolved:

January 30 18:35 UTC (lasting 7 hours)

We upgraded our production Git binary with a recent version from upstream. The updates included a change to use an internal implementation of gzip when generating archives. This resulted in subtle changes to the contents of the “Download Source” links served by GitHub, leading to checksum mismatches. No content was changed.

After becoming aware of the impact to many communities, we rolled back the compression change to restore the previous behavior.

Similar to the above, we are still investigating the contributing factors of this incident, and will provide a more thorough update in next month’s report.