Context Navigation

← Previous Ticket
Next Ticket →

#70495 closed defect (fixed)

pass @1.7.4: checksum mismatch

Reported by:	barracuda156	Owned by:	judaew (Vadym-Valdis Yudaiev)
Priority:	Normal	Milestone:
Component:	ports	Version:	2.9.3
Keywords:		Cc:
Port:	pass

Description

--->  password-store-1.7.4.tar.xz does not exist in /opt/local/var/macports/distfiles/pass
--->  Attempting to fetch password-store-1.7.4.tar.xz from https://git.zx2c4.com/password-store/snapshot/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 65280    0 65280    0     0  51467      0 --:--:--  0:00:01 --:--:-- 51482
--->  Verifying checksums for pass
--->  Checksumming password-store-1.7.4.tar.xz
Error: Checksum (rmd160) mismatch for password-store-1.7.4.tar.xz
Portfile checksum: password-store-1.7.4.tar.xz rmd160 c1ac8d01ba88fad13cb5c7a6dcb2b7f3f58bb36c
Distfile checksum: password-store-1.7.4.tar.xz rmd160 6b994e9165621d557d070701923a19ab20acf540
Error: Checksum (sha256) mismatch for password-store-1.7.4.tar.xz
Portfile checksum: password-store-1.7.4.tar.xz sha256 cfa9faf659f2ed6b38e7a7c3fb43e177d00edbacc6265e6e32215ff40e3793c0
Distfile checksum: password-store-1.7.4.tar.xz sha256 4c2d0a8b99df8915a87099607a8d912fd05d30651b6f014745c14e4ca8dbbfb7
Error: Checksum (size) mismatch for password-store-1.7.4.tar.xz
Portfile checksum: password-store-1.7.4.tar.xz size 65272
Distfile checksum: password-store-1.7.4.tar.xz size 65280
The correct checksum line may be:
checksums           rmd160  6b994e9165621d557d070701923a19ab20acf540 \
                    sha256  4c2d0a8b99df8915a87099607a8d912fd05d30651b6f014745c14e4ca8dbbfb7 \
                    size    65280
Error: Failed to checksum pass: Unable to verify file checksums

Change History (2)

comment:1 Changed 7 weeks ago by ryandesign (Ryan Carsten Schmidt)

Summary:	pass: checksum mismatch → pass @1.7.4: checksum mismatch

Yes, a stealth update has occurred. Unfortunately the project's official download link is a tarball automatically generated from their repository, and the way that that tarball gets generated appears to have changed since we mirrored the file in 2021. The files in the tarball are identical, as is the tarball itself, but the surrounding gzip compression has changed. This could be the same problem that bit GitHub, CodeBerg, and everybody else when they upgraded to git 2.38 without understanding the impact of the fact that it changed the default compression method from an external gzip command to an internal implementation.

Since there is no benefit to us to switching to the new distfile, the port should avoid the stealth update until the next version is released by setting master_sites macports_distfiles.

The developers of pass should be notified that this has happened, and encouraged to switch to separately-archived distfiles that are guaranteed never to change. If they like, they can simply download a snapshot from their repository server or one created locally using git archive and then upload that to some permanent storage.

comment:2 Changed 6 weeks ago by ryandesign (Ryan Carsten Schmidt)

Resolution:	→ fixed
Status:	assigned → closed

In d0ed5c839cdb6e391cfd583bfd4480aaa354d914/macports-ports (master):

pass: Avoid inconsequential stealth update

Closes: #70495

Note: See TracTickets for help on using tickets.

Download in other formats: