Closed andioz closed 3 years ago
On first sight, I can't see any contact information for them. Does someone know a way we can contact the maintainers and ask them about this?
Going to the Internet Archive and getting the first jpegsrc.v9d.tar.gz
from last year shows a different checksum:
❯ sha256sum jpegsrc*
99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32 jpegsrc.v9d-20200127160911.tar.gz
6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee jpegsrc.v9d.tar.gz
Here are the diffs:
❯ diff -ur jpeg-9d-20200127160911 jpeg-9d
diff -ur jpeg-9d-20200127160911/makeasln.v16 jpeg-9d/makeasln.v16
--- jpeg-9d-20200127160911/makeasln.v16 2019-02-07 11:19:48.000000000 -0600
+++ jpeg-9d/makeasln.v16 2019-02-07 12:19:48.000000000 -0600
@@ -1,4 +1,4 @@
-ãØ®
+
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.329
diff -ur jpeg-9d-20200127160911/makecfil.v16 jpeg-9d/makecfil.v16
--- jpeg-9d-20200127160911/makecfil.v16 2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makecfil.v16 2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makecvcx.v16 jpeg-9d/makecvcx.v16
--- jpeg-9d-20200127160911/makecvcx.v16 2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makecvcx.v16 2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makedfil.v16 jpeg-9d/makedfil.v16
--- jpeg-9d-20200127160911/makedfil.v16 2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makedfil.v16 2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makedvcx.v16 jpeg-9d/makedvcx.v16
--- jpeg-9d-20200127160911/makedvcx.v16 2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makedvcx.v16 2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makejfil.v16 jpeg-9d/makejfil.v16
--- jpeg-9d-20200127160911/makejfil.v16 2010-05-01 12:36:54.000000000 -0500
+++ jpeg-9d/makejfil.v16 2010-05-01 15:36:54.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makejsln.v16 jpeg-9d/makejsln.v16
--- jpeg-9d-20200127160911/makejsln.v16 2019-02-07 11:05:24.000000000 -0600
+++ jpeg-9d/makejsln.v16 2019-02-07 12:05:24.000000000 -0600
@@ -1,4 +1,4 @@
-ãØ®
+
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.329
diff -ur jpeg-9d-20200127160911/makejvcx.v16 jpeg-9d/makejvcx.v16
--- jpeg-9d-20200127160911/makejvcx.v16 2019-04-04 13:04:56.000000000 -0500
+++ jpeg-9d/makejvcx.v16 2019-04-04 14:04:56.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makerfil.v16 jpeg-9d/makerfil.v16
--- jpeg-9d-20200127160911/makerfil.v16 2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makerfil.v16 2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makervcx.v16 jpeg-9d/makervcx.v16
--- jpeg-9d-20200127160911/makervcx.v16 2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makervcx.v16 2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/maketfil.v16 jpeg-9d/maketfil.v16
--- jpeg-9d-20200127160911/maketfil.v16 2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/maketfil.v16 2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/maketvcx.v16 jpeg-9d/maketvcx.v16
--- jpeg-9d-20200127160911/maketvcx.v16 2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/maketvcx.v16 2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makewfil.v16 jpeg-9d/makewfil.v16
--- jpeg-9d-20200127160911/makewfil.v16 2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makewfil.v16 2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makewvcx.v16 jpeg-9d/makewvcx.v16
--- jpeg-9d-20200127160911/makewvcx.v16 2019-04-04 13:12:10.000000000 -0500
+++ jpeg-9d/makewvcx.v16 2019-04-04 14:12:10.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Release|Win32">
looks like some extraneous characters were removed from the .v16
files.
libjpeg/9c
is also affected:
❯ conan create recipes/libjpeg/all libjpeg/9c@
Exporting package recipe
libjpeg/9c exports: File 'conandata.yml' found. Exporting it...
libjpeg/9c exports: Copied 1 '.yml' file: conandata.yml
libjpeg/9c exports_sources: Copied 1 '.Mak' file: Win32.Mak
libjpeg/9c exports_sources: Copied 1 '.patch' file: 0001-libjpeg-add-msvc-dll-support.patch
libjpeg/9c: A new conanfile.py version was exported
libjpeg/9c: Folder: /Users/kam/.conan/data/libjpeg/9c/_/_/export
libjpeg/9c: Using the exported files summary hash as the recipe revision: aad9cba44421373f72b973a5745b33fb
libjpeg/9c: Exported revision: aad9cba44421373f72b973a5745b33fb
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=apple-clang
compiler.libcxx=libc++
compiler.version=12.0
os=Macos
os_build=Macos
[options]
[build_requires]
[env]
libjpeg/9c: Forced build from source
libjpeg/9c (test package): Installing package
Requirements
libjpeg/9c from local cache - Cache
Packages
libjpeg/9c:647afeb69d3b0a2d3d316e80b24d38c714cc6900 - Build
Installing (downloading, building) binaries...
libjpeg/9c: Configuring sources in /Users/kam/.conan/data/libjpeg/9c/_/_/source
Downloading jpegsrc.v9c.tar.gz completed [1003.91k]
ERROR: libjpeg/9c: Error in source() method, line 38
tools.get(**self.conan_data["sources"][self.version])
ConanException: sha256 signature failed for 'jpegsrc.v9c.tar.gz' file.
Provided signature: 650250979303a649e21f87b5ccd02672af1ea6954b911342ea491f351ceb7122
Computed signature: 1e9793e1c6ba66e7e0b6e5fe7fd0f9e935cc697854d5737adec54d93e5b3f730
Looks like they are reorganizing existing archives without changing the filename? Strange... Even the timestamps didn't update.
@ all - what do you think how we should handle this?
I checked the differences for both versions 9c
and 9d
with their previous ones (from Nov 2020 resp. Dec. 2020). As @datalogics-kam found out, in both archives several make*.v*
files has changes, some garbage characters at the beginning of the files are removed.
I would say it looks safe if we would like to update the signatures. But how long will this last, when does the next silent change appear?
I'm going to make a PR and include documentation of what changed between the tarballs to justify the checksum change.
On Unix (OSX and Linux), I'm an end user of the Conan's libjpeg/9c
and I'm still seeing this
libjpeg/9c@bincrafters/stable: Configuring sources in /Users/runner/.conan/data/libjpeg/9c/bincrafters/stable/source
ERROR: libjpeg/9c@bincrafters/stable: Error in source() method, line 41
tools.get("{}/files/jpegsrc.v{}.tar.gz".format(self.homepage, self.version), sha256=sha256)
ConanException: sha256 signature failed for 'jpegsrc.v9c.tar.gz' file.
My conanfile.txt
reads as follows:
[requires]
libpng/1.6.37@bincrafters/stable
libjpeg/9c@bincrafters/stable
libtiff/4.0.9@bincrafters/stable
AFAIU, this issue has been fixed by the PR referred above. Am I supposed to do anything to obtain the fix?
I install Conan via python -m pip install --upgrade conan
.
@mloskot python -m pip install --upgrade conan
updates the conan application only, not the recipes in your cache. If I remember right, you can use conan install --update ...
to update the dependencies in your cache.
Or simply, go into your cache directory and remove all relevant sub-directories in data
. This is what I do if I want to be absolutely sure.
@andioz Thanks for the tip about the cache.
The thing is, I'm getting the failure for CI builds on Azure Pipelines: https://dev.azure.com/boostorg/gil/_build/results?buildId=1147&view=logs&j=d77bfd1b-2b56-50c4-ff1e-490af6b2be2e&t=af45cbea-d66c-5594-4a9b-0167ff3f0c9a
where, I assume, the cache is clean slate on each build.
The Conan is run via conan-cmake
's command conan_cmake_run
:
https://github.com/boostorg/gil/blob/2102fdc5b4d80a03691fbcb317c76b96a7f32dd2/CMakeLists.txt#L123-L138
Ah, one more hint: you are using libjpeg/9c@bincrafters/stable
, which doesn't use the repository filled with recipes from here. I guess. The new syntax for using https://conan.io/center/ is to omit the user/channel like this libjpeg/9c
or to use underscores like this libjpeg/9c@_/_
.
@andioz The new syntax is something I wasn't aware of and it did the trick indeed. Thanks!
I'm still seeing this issue in a local build:
conan remove -f libjpeg
conan install . --build outdated --update
...
libjpeg/9d: Configuring sources in C:\Users\plane\.conan\data\libjpeg\9d\_\_\source
Downloading jpegsrc.v9d.tar.gz completed [1045.00k]
ERROR: libjpeg/9d: Error in source() method, line 38
tools.get(**self.conan_data["sources"][self.version])
ConanException: sha256 signature failed for 'jpegsrc.v9d.tar.gz' file.
Provided signature: 99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32
Computed signature: 6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee
...
While I could just delete the local data folder entirely, I'd like to know what's causing the issue otherwise I can't really trust that packages are being properly updated. I'm not seeing this issue on CI where everything is downloaded from scratch - is there some additional caching behaviour going on?
Package and Environment Details
Conan profile
Problem
I cannot build, signature is wrong:
Steps to reproduce (Include if Applicable)
I'm pretty sure it worked until today noon UTC (January 7th, 2021), but suddenly the signature doesn't match anymore. Ich checked the source repository on the website, downloaded the archive file and generated the hash. Indeed the result changed!
Is this maybe a serious attack, or some conan internal problem? The timestams on their web site looks ok: