bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bad hash for hop-2.4.0.tar.gz

From: Mark H Weaver
Subject: Re: Bad hash for hop-2.4.0.tar.gz
Date: Wed, 24 Apr 2013 00:57:37 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) 
address@hidden (Ludovic Courtès) writes:

> Mark H Weaver <address@hidden> skribis:
>
>> On my system, attempts to build hop result in the following error:
>>
>> output path
>> /nix/store/l4jyrfyx8nr3sy6j20s8znk2aa2hpw84-hop-2.4.0.tar.gz' should
>> have sha256 hash
>> 04fhy5jp9lq12fmdqfjzj1w32f7nxc80fagbj7pfci7xh86nm2c5', instead has
>> 1v2r4ga58kk1sx0frn8qa8ccmjpic9csqzpk499wc95y9c4b1wy3'
>>
>> I tried downloading <ftp://ftp-sop.inria.fr/indes/fp/Hop/hop-2.4.0.tar.gz>
>> manually with wget, and got the same file that guix had downloaded.
>
> Apparently Manuel sometimes modifies tarballs in-place.  Would you like
> to report it?  I can also try to discuss it with him.

Okay, I sent the following message.

     Mark


--8<---------------cut here---------------start------------->8---
From: Mark H Weaver <address@hidden>
To: address@hidden
Subject: hop-2.4.0.tar.gz has apparently been modified
Date: Wed, 24 Apr 2013 00:51:44 -0400

It appears that hop-2.4.0.tar.gz has been modified since it was first
made available.  This makes me concerned about a possible security
breach.

Alternatively, perhaps it was intentionally modified in place.  If so,
I'd like to discourage you from continuing this practice.  It thwarts
attempts to authenticate downloads and detect trojan horses.  It teaches
people not to worry if the tarball they downloaded is not the same as
the one their friend downloaded with the same name.

Several existing projects that automatically download and compile
software, such as source-based GNU/Linux distributions and the BSD ports
collections, include cryptographic hashes of the downloaded files in
their metadata.  This is an important security practice, but it fails
when you change your tarballs in place.  In fact, this is how I learned
that hop-2.4.0.tar.gz had changed.

For these reasons, I'd strongly encourage you to never change a tarball
once it has been made publicly available.  Always increment the version
number.  Integers are cheap and plentiful, are they not?

     Regards,
       Mark
--8<---------------cut here---------------end--------------->8---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]