Re: [savannah-help-public] numdiff package checksum change

[Bob Proulx]

Joshua Hoblitt wrote:
> The checksum on the numdiff 5.8.1 tarball has mysteriously changed. This
> package was frequently download by a deployment script that is run
> frequently at my $day_job.  We have disconnected usage of it as of a few
> moments ago.  It is likely this change happened occurred in last day or two.

Thank you for the report.  I can confirm the current file information:

  download:~# ll /srv/download/numdiff/numdiff-5.8.1.tar.gz
  -rw-rw-r-- 1 ivprimi numdiff 894729 Sep 15  2013 
/srv/download/numdiff/numdiff-5.8.1.tar.gz

  download:~# sha1sum /srv/download/numdiff/numdiff-5.8.1.tar.gz
  2c0397652619e0f6bd5ddeb1fe1f20c973d3f37c  
/srv/download/numdiff/numdiff-5.8.1.tar.gz

  download:~# md5sum /srv/download/numdiff/numdiff-5.8.1.tar.gz
  ce8ac83b89812f71ea7289a2975e598b  /srv/download/numdiff/numdiff-5.8.1.tar.gz

  download:~# stat /srv/download/numdiff/numdiff-5.8.1.tar.gz
    File: `/srv/download/numdiff/numdiff-5.8.1.tar.gz'
    Size: 894729          Blocks: 1752       IO Block: 4096   regular file
  Device: fe10h/65040d    Inode: 9701682     Links: 1
  Access: (0664/-rw-rw-r--)  Uid: (70038/ ivprimi)   Gid: ( 6587/ numdiff)
  Access: 2016-05-04 17:50:47.546563952 +0000
  Modify: 2013-09-15 15:49:19.000000000 +0000
  Change: 2016-05-19 06:30:02.214738826 +0000

Hmm..

> $ tar -xvf numdiff-5.8.1.tar.gz
...
> ./numdiff-5.8.1/docs/numdiff.txt
> ./numdiff-5.8.1/docs/numdiff.info
> tar: Skipping to next header
> 
> gzip: stdin: invalid compressed data--crc error
> 
> gzip: stdin: invalid compressed data--length error
> tar: Child returned status 1
> tar: Error is not recoverable: exiting now
> 
> The tarball seems to be corrupted, so my suspicion is that this is a
> storage problem rather than malicious activity.

Agreed.  But here is a scary thought.  There is a saying.  Where there
is one rat, there are many rats.

I will put in a request to have this recovered from backup and see
what comes out of it.

Bob