http://bugzilla.opensuse.org/show_bug.cgi?id=1057322 Bug ID: 1057322 Summary: Different checksum for the same package version Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Download Infrastructure Assignee: lars.vogdt@suse.com Reporter: luizluca@tre-sc.jus.br QA Contact: lars.vogdt@suse.com Found By: --- Blocker: --- In our internal local mirrors of some build.opensuse.org repos, I check the packages integrity after I finish the download. I get rarely but recurrent wrong checksum values like: $ curl -s http://download.opensuse.org/repositories/server:/monitoring/SLE_12_SP2/repo... | grep primary.xml <location href="repodata/5c9117ae6a51e48c26aa21a84c1c68c67cd29a197d5702094d07cb2015da77d5-primary.xml.gz"/> $ curl -sL http://download.opensuse.org/repositories/server:/monitoring/SLE_12_SP2/repo... | gunzip -c | sed -n -e '/<package/,/<\/package>/H;/<\/package>/{x;/<name>cacti-plugin-ro uterconfigs<\/name>/{/<arch>noarch<\/arch>/p}};d' | grep -E '<(name|version|checksum|location)( .*)?>' <name>cacti-plugin-routerconfigs</name> <version epoch="0" ver="1.0" rel="1.1"/> <checksum type="sha256" pkgid="YES">4aaaf7b09d86de9fa349a9b5757cc617cacc61b41f868aa99bc58df6db41ecd9</checksum> <location href="noarch/cacti-plugin-routerconfigs-1.0-1.1.noarch.rpm"/> <name>cacti-plugin-routerconfigs</name> <version epoch="0" ver="1.1" rel="1.1"/> <checksum type="sha256" pkgid="YES">fd87ec3a7b6ce27fc955da8d827e346f9acb41fe93d29d686689bd4b5e44daf3</checksum> <location href="noarch/cacti-plugin-routerconfigs-1.1-1.1.noarch.rpm"/> $ wget http://download.opensuse.org/repositories/server:/monitoring/SLE_12_SP2/noar... http://download.opensuse.org/repositories/server:/monitoring/SLE_12_SP2/noar... $ sha256sum cacti-plugin-routerconfigs-1.* 3f8e9a08746c1cfa59608b5b66661a3f173558831ec1d2770220a5c1d29b9ef3 cacti-plugin-routerconfigs-1.0-1.1.noarch.rpm fd87ec3a7b6ce27fc955da8d827e346f9acb41fe93d29d686689bd4b5e44daf3 cacti-plugin-routerconfigs-1.1-1.1.noarch.rpm $ rpm --package --checksig cacti-plugin-routerconfigs-1.*.rpm cacti-plugin-routerconfigs-1.0-1.1.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#ee454f98) cacti-plugin-routerconfigs-1.1-1.1.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#ee454f98) Version 1.1-1.1 matches while the older 1.0-1.1 did not. It really scares me as it could be a malware change, specially as the older one is the one that did not match. I know that zypper might catch these but it is common for a build.opensuse.org package to be individually downloaded and manually installed, without adding the extra repo. The problem seems to be that a different mirror site results in different content for the same file: $ curl -sL http://mirrors.standaloneinstaller.com/opensuse-stable/repositories/server:/... | sha256sum - 3f8e9a08746c1cfa59608b5b66661a3f173558831ec1d2770220a5c1d29b9ef3 - $ curl -sL http://ftp.gwdg.de/pub/opensuse/repositories/server:/monitoring/SLE_12_SP2/n... | sha256sum - 4aaaf7b09d86de9fa349a9b5757cc617cacc61b41f868aa99bc58df6db41ecd9 - So, different mirror sites have the same file version with correct checksum (according to rpm check) but different content? It does not seem to be a nice situation. They have mtime a little bit different: $ curl -sL -I http://mirrors.standaloneinstaller.com/opensuse-stable/repositories/server:/... http://ftp.gwdg.de/pub/opensuse/repositories/server:/monitoring/SLE_12_SP2/n... | grep Last-M Last-Modified: Fri, 24 Feb 2017 12:08:22 GMT Last-Modified: Fri, 24 Feb 2017 12:16:57 GMT Wouldn't openbuildservice avoid the reuse of a package version? Maybe if a package is removed and re-added (releases are "1.1")? Even on a re-added package, I guess OBS should try to avoid reusing a package version. I hope, at it seems, that it is just a matter of a wrong rsync call (like using --ignore-existing, specially without --delete) at mirror side together with a package version collision. -- You are receiving this mail because: You are on the CC list for the bug.