Snapshots mtime breaks digests
Ferry Huberts
mailings at hupie.com
Fri Apr 27 10:03:24 CEST 2012
On 27-04-12 04:14, Adrian C. wrote:
> Hello, GNU/Linux distributions are trying to package my little software
> by grabbing the Cgit auto generated tarball of the latest release but
> their build systems use md5sum or sha1sum which then complain the hash
> no longer matches the official release.
>
> I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled
> on http://git.sysphere.org I presume the mtime changes when the original
> tarball expires from the Cgit cache and I didn't find anything in the
> cgitrc manual so far.
>
> Anyone knows of a workaround I can apply to keep these folks happy?
> Thanks.
>
>
> Here's the disection of what happens:
>
> $ diff -u<(hd vicious-2.0.4.tar.gz)<(hd vicious-2.0.4\ \(1\).tar.gz)
> --- /proc/self/fd/11 2012-04-18 21:52:54.970674733 +0200
> +++ /proc/self/fd/12 2012-04-18 21:52:54.970674733 +0200
> @@ -1,4 +1,4 @@
> -00000000 1f 8b 08 00 f8 e8 8d 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
> +00000000 1f 8b 08 00 d6 1a 8f 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
> 00000010 92 e6 bc 8e ff 0a 87 5e 24 61 42 91 bc 0f 15 06 |.......^$aB.....|
> 00000020 8b 2c 29 55 95 33 ba 20 a9 b6 a6 31 68 14 9c 74 |.,)U.3. ...1h..t|
> 00000030 67 24 3b 23 c8 68 1e 4a 45 3f ec 6f 5f 3b dc 49 |g$;#.h.JE?.o_;.I|
>
>
> Tarballs are the same:
>
> $ gunzip vicious-2.0.4.tar.gz
> $ gunzip vicious-2.0.4\ \(1\).tar.gz
> $ md5sum vicious-2.0.4*
> 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4 (1).tar
> 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4.tar
>
As you demonstrate perfectly here yourself, the _contents_ of the
tarball must be checked, not the tarball itself because that is
generated on the fly.
> As defined here[1], byte which change are mtime field.
>
> [1]: http://tools.ietf.org/html/rfc1952#page-5
>
>
>
--
Ferry Huberts
More information about the CGit
mailing list