search

miyagawa / cpanminus

cpanminus - get, unpack, build and install modules from CPAN
http://cpanmin.us
752 stars 213 forks source link

subdir usages on cpan mirrors breaks checksum logic. #434

Open kentfredric opened 9 years ago

kentfredric commented 9 years ago 
find ~/.cpanm/sources/ -name "THALJEF.CHECKSUMS" -delete
# Fetches THALJEF/strictersubs/CHECKSUMS and writes it as THALJEF.CHECKSUMS
cpanm --look -v --verify Perl::Critic::StricterSubs 
exit
# Attempts to use the above CHECKSUMS file that is wrong
cpanm -v --verify Test::Perl::Critic
--> Working on Test::Perl::Critic
Fetching http://www.cpan.org/authors/id/T/TH/THALJEF/Test-Perl-Critic-1.03.tar.gz ... OK
Fetching http://www.cpan.org/authors/id/T/TH/THALJEF/CHECKSUMS ... OK
Verifying the signature of CHECKSUMS
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks
Verified OK!
Verifying the SHA1 for Test-Perl-Critic-1.03.tar.gz
Checksum for Test-Perl-Critic-1.03.tar.gz not found in CHECKSUMS.
! Failed to fetch distribution Test-Perl-Critic-1.03
cat $( find  /home/kent/.cpanm/sources/ -name THALJEF.CHECKSUMS )
0&&<<''; # this PGP-signed message is also valid perl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# CHECKSUMS file written on Thu Feb  5 07:36:19 2015 GMT by CPAN::Checksums (v2.08)
$cksum = {
  'Perl-Critic-StricterSubs-0.03.meta' => {
    'md5' => '0eef1461a7a29336ff870982964af6bb',
    'mtime' => '2008-01-14',
    'sha256' => 'c6b737ecf353fe29f42ff013727eaff2906a14a665b4a4ba3dc6f239dd1f9fa4',
    'size' => 1568
  },
  'Perl-Critic-StricterSubs-0.03.tar.gz' => {
    'md5' => 'f92c089422f7eea8d51c542997d351c1',
    'md5-ungz' => 'e7ab9dd4a644affae3d2def606810c5c',
    'mtime' => '2008-01-14',
    'sha256' => '20d0f213249927f0232678e54152e8ad141a1b8efa9760c05121818c9466e432',
    'sha256-ungz' => 'de665dd45e468d12da78efeb3e456ad0a1cef5e93c28b4cb9cae10efe8178857',
    'size' => 31284
  }
};
__END__
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlTTHXMACgkQMo2oZ0UPiezMbQCfePRY4iKSoIF0dxhT1FhUaKIg
cyEAnRbktJWTyN6oNnG7VPZiSiN5MwVg
=8ppK
-----END PGP SIGNATURE-----

md5sum $(find ~/.cpanm/sources/ -name THALJEF.CHECKSUMS) <(  curl -s  http://cpan.metacpan.org/authors/id/T/TH/THALJEF/strictersubs/CHECKSUMS )
f711da617e40a8384f00202ba3b2b33b  /home/kent/.cpanm/sources/http%www.cpan.org/THALJEF.CHECKSUMS
f711da617e40a8384f00202ba3b2b33b  /dev/fd/63
kentfredric commented 9 years ago

For replication, cpanm must be using LWP. --no-lwp makes this problem vanish for me.

kentfredric commented 9 years ago

Why it fails:

  1. Two paths coalesce to the same target path
  2. LWP uses "if-modified-since" ( and wget/curl dont ) https://metacpan.org/pod/LWP::UserAgent#ua-mirror-url-filename
  3. Second fetch fetches a file that was obviously not modified in the last 30 seconds, so it neglects to refrech ( whereas wget / curl always re-fetch )
  4. so it goes "Sure, thats the right checksum the date is right" but it contains none of the right data
  5. ???
  6. Explosion.
miyagawa commented 9 years ago

well, obviously fix 1 and the others is just moot :)