search

TinkerTools / tinker

Tinker: Software Tools for Molecular Design
https://dasher.wustl.edu/tinker/
Other
130 stars 61 forks source link

https://dasher.wustl.edu/tinker/downloads/tinker-8.11.2.tar.gz has changed, is this intentional or was your system hacked? #157

Closed yurivict closed 2 months ago

yurivict commented 2 months ago

On May 6th I've updated the FreeBSD port science/tinker to the version 8.11.2

The size of this file was 72151636 and the sha256 hash was 26e9a634eec62c6ce951c0c60464087cf2fae905573c7047db462777397209b3.

Today this file fails to fetch because its size has changed:

fetch: https://dasher.wustl.edu/tinker/downloads/tinker-8.11.2.tar.gz: size mismatch: expected 72151636, actual 72241602

Was your system hacked, or did you replace the released tarball file?

jayponder commented 2 months ago

Hi, This exact issue has happened before! You folks must have a bot or something that detects when packages have been updated.. Tinker was updated from 8.11.1 to 8.11.2 on, I believe, literally May 6th. Within a very short time (a few hours?), we discovered a fairly minor issue in the new release, but significant enough that we wanted to patch a few things. This revised version was uploaded to my lab's server, dasher.wustl.edu, as you noted. Since the changes were small, we decided to not change the version number. This situation seems to often happen, and within a day or so putting up new versions we often make small changes. Sorry for the trouble this may cause. We are not really "software engineer" types, just academic scientists trying to do the best we can.. So, in answer to your question, "no" our system has not been hacked.

yurivict commented 2 months ago

No problem!

Thank you for the explanation. We store file sizes and md256 hashes with all distfiles that are used by ports, and every time such re-roll of a release happens the build fails, and we have to ask whether this was intentional, according to the policy.

Thanks again for confirming.

yurivict commented 2 months ago

@jayponder

I think you changed the tarball like 5 times with the latest release.

fetch: https://dasher.wustl.edu/tinker/downloads/tinker-8.11.2.tar.gz: size mismatch: expected 72241699, actual 72243545

I am curious, why don't you just make a new release every time?

I am sure that all port systems that package Tinker are suffering the same way as we do in FreeBSD.

I update the port. Then it fails to fetch. I update the port again, and it fails to fetch again. And then again and again and again...