[Bug 965532] New: SHASUM doesn't match for openSUSE-Leap-42.1-DVD-x86_64.iso
http://bugzilla.opensuse.org/show_bug.cgi?id=965532 Bug ID: 965532 Summary: SHASUM doesn't match for openSUSE-Leap-42.1-DVD-x86_64.iso Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: richard@reallyrathergood.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Download both: openSUSE-Leap-42.1-DVD-x86_64.iso and openSUSE-Leap-42.1-DVD-x86_64.iso.sha256 The GPG signature on the .sha256 file checks out, but try computing the sha256 sum of the .iso and it doesn't match the one published in the .sha256 file. I have re-downloaded both files from two different UK mirrors with the same result. It occurred to me that the sha256 computation on my gentoo server might be wrong, so I double-checked using my openSUSE 13.2 installation, and the results are identical. The actual checksum computed for the currently published iso image is: bash# shasum -b -a 256 openSUSE-Leap-42.1-DVD-x86_64.iso d6e0bbc91611932f76d13d4e6ed8b02c423ced969fbd00d432acd0a33e2b096e *openSUSE-Leap-42.1-DVD-x86_64.iso I would check further afield, but downloading the DVD iso image takes me over two hours each time, so it's not really practical. It's amazing that nobody has reported this until now - just goes to show that not many people check the integrity of their download! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
Richard Gray
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c1
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c2
Richard Gray
The file you downloaded does not match the ISO I have from a trusted in-house source, or the one signed by the release team. A failing local verification should be investigated but it is on hour side of the path.
Check for successful download, full size, and attempt a repair using torrent. The hash appears on search engines elsewhere, so it might be a infrequent problem, e.g. 2G limit or similar. If the file is repeatedly bad from mirrors, write to admin@opensuse.org
Please - I'm not an idiot! My first thought in such cases is that I'm doing something wrong; but I'm satisfied that I'm not. I've compared file sizes and my download matches exactly what is on the mirror. There might be nothing significantly wrong with the iso image, but ignoring the shasum mismatch rather defeats the point of having it. As we all know, it only takes a single bit of error to cause a problem like this, but as a diligent professional I'm not going to install from something I cannot verify. Trying every single mirror is simply not an option! I have compared file sizes with a mirror in Germany, and it's exactly the same; but downloading this will take me 2.5 hours so I cannot say with any certainty that the shasum will fail just at this point; but I would lay odds that it will. I think the problem lies in the fact that mirrors are just that. They blithely copy some other server, so it only requires a little glitch somewhere upstream for most of the mirrors to be wrong. What would be really helpful here is a pointer to a known good iso on an authoritative server. At least then I can get on with my work while the mirrors get corrected in due course. I don't mean to be contrary, and I apologise if my tone is a bit abrasive; but I think there's a widespread problem here, although how serious it is could be a matter of debate. There is no way of telling from a shasum whether we have a glitch or something malign has tainted then product. This is not something I would wish to gamble on. A notification of this problem to whomsoever looks after this stuff would carry more weight coming from you than it would from me, since the first assumption is that I'm incompetent! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c3
--- Comment #3 from Richard Gray
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c4
Andreas Stieger
There might be nothing significantly wrong with the iso image, but ignoring the shasum mismatch rather defeats the point of having it.
That is the correct behavior.
I have compared file sizes with a mirror in Germany, and it's exactly the same; but downloading this will take me 2.5 hours so I cannot say with any certainty that the shasum will fail just at this point; but I would lay odds that it will.
Re-download not required. Using the file you have as reference, use a protocol capable of intra-file checksums to "repair" it: * torrent: use http://download.opensuse.org/distribution/leap/42.1/iso/openSUSE-Leap-42.1-D... * rsync: see https://en.opensuse.org/openSUSE:Mirror_infrastructure#Access_for_the_public...
I think the problem lies in the fact that mirrors are just that. They blithely copy some other server, so it only requires a little glitch somewhere upstream for most of the mirrors to be wrong.
What would be really helpful here is a pointer to a known good iso on an authoritative server. At least then I can get on with my work while the mirrors get corrected in due course.
I do not think this is the right question. The authoritative data is what was signed. E.g. the signed sha256sum you have. So even if you were using another distribution point which may or may not be official, the problem may still be in transit or local. See for a list: http://download.opensuse.org/distribution/leap/42.1/iso/openSUSE-Leap-42.1-D... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c5
Andreas Stieger
I am pleased to report that the mirror vesta.informatik.rwth-aachen.de seems to have a good iso image. The GPG sig checks out OK, as does the shasum. So, as far as this problem applies to me, I'm satisfied.
Clearing needinfo. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c6
Andreas Stieger
The corrupt images on the UK mirrors ought to be checked out though. If it turns out that these images have been deliberately tampered with, it could be highly embarrassing. More usually though, these things are cock-up rather than conspiracy!
Which mirrors, URLs? Are they present on this list? http://download.opensuse.org/distribution/leap/42.1/iso/openSUSE-Leap-42.1-D... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c7
--- Comment #7 from Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c8
--- Comment #8 from Richard Gray
So everything worked as expected. Some mirror had a bad, broken or manipulated iso, or the transfer resulted in a local file that did not verify against the signed hash. Failure to verify a bad file is the hash/sig WORKING, as in "detecting an incorrect iso"
We do not operate the mirror infrastructure (except for the mirrorbrain redirector), and the above was put in place for this very reason.
A binary diff or diff between hexdumps between the files would be interesting.
I did attempt "repairs" using rsync (as described in the installation blurb, I notice), but since only http servers are listed at: http://download.opensuse.org/distribution/leap/42.1/iso/openSUSE-Leap-42.1-D... I had to cobble together an rsync URI, but I seem to recall doing this UK based mirrors, so if those mirrors were carrying duff isos that matched the one I had already downloaded, it wouldn't have helped. I must reiterate that my first assumption has always been that I have done something wrong, so I was fairly sure of myself before raising this issue. My "favourite" mirror is www.mirrorservice.org, and mirror.ox.ac.uk. Being so focussed on getting an intact copy of the iso, I didn't keep the duff ones for comparison, so my apologies for that. All the mirrors I used were listed on the URL I quoted above. I'll try re-downloading from mirrorservice and see if I can identify in what way the iso is faulty, unless they've fixed it in the meantime. It would be good to rule out mischief if at all possible. I have to concede that it is possible that I've just been unlucky having had three garbled downloads in a row; but that would be a first in my experience! The complaint I've made about downloading being so time consuming is more to do with ADSL in the UK being so crappy. VDSL (FTTC) services are reaching some of the northern cities, but not the more provincial towns just yet. Thanks for your comments, guys. I know you all get snowed-under with stupid reports from inept users; or possibly worse, users with a bit of knowledge, but not quite enough. I have personal experience in IT support, so I know how sifting the wheat from the chaff can be a frustrating matter. I've been using openSUSE since 10.something, so I know my way around reasonably well. Happily, I report bugs very rarely because I can usually find another way of solving the problem, and more and more I'm finding less and less. :-) Cheers! Richard. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965532
http://bugzilla.opensuse.org/show_bug.cgi?id=965532#c9
--- Comment #9 from Richard Gray
participants (1)
-
bugzilla_noreply@novell.com