search

pocoproject / poco

The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.
https://pocoproject.org
Other
8.05k stars 2.11k forks source link

Checksum mismatch for release 1.13.3 #4523

Closed uilianries closed 3 months ago

uilianries commented 3 months ago

Hello!

On Friday (April 5) there was a release for Poco 1.13.3:

https://github.com/pocoproject/poco/releases/tag/poco-1.13.3-release

Then, downloading the .tar.gz:

https://github.com/pocoproject/poco/archive/poco-1.13.3-release.tar.gz

I would have the checksum value for sha256: 0f0012944924052ebbe90d74cd684f5bc5264be805010a177c5b8df1ce313e43

However, yesterday (April 7), was reported the same .tar.gz is now with a different checksum:

wget https://github.com/pocoproject/poco/archive/poco-1.13.3-release.tar.gz | sha256sum                                                                                                                                                                         08:50:15
--2024-04-08 08:56:03--  https://github.com/pocoproject/poco/archive/poco-1.13.3-release.tar.gz
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/pocoproject/poco/tar.gz/refs/tags/poco-1.13.3-release [following]
--2024-04-08 08:56:03--  https://codeload.github.com/pocoproject/poco/tar.gz/refs/tags/poco-1.13.3-release
Resolving codeload.github.com (codeload.github.com)... 140.82.121.9
Connecting to codeload.github.com (codeload.github.com)|140.82.121.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘poco-1.13.3-release.tar.gz.1’

poco-1.13.3-release.tar.gz.1                                            [        <=>                                                                                                                                                         ]  10,81M  7,14MB/s    in 1,5s    

2024-04-08 08:56:05 (7,14 MB/s) - ‘poco-1.13.3-release.tar.gz.1’ saved [11332562]

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

I would like to know if it's something expected, like you patched the release (no problem at all). Or is something more unexpected, involving security points.

Related to https://github.com/conan-io/conan-center-index/issues/23407

obiltschnig commented 3 months ago

Yes there was a small patch (DLLVersion.rc had a wrong version number)

uilianries commented 3 months ago

@obiltschnig Thank you for your quick answer! Have a great week ahead!

matejk commented 3 months ago

@obiltschnig , perhaps we shall let RedHat know also. Their release scripts picked 1.13.3 very quicky:

https://koji.fedoraproject.org/koji/taskinfo?taskID=115907438

obiltschnig commented 3 months ago

Probably yes. And we should probably have a better process to deal with such minor changes.

matejk commented 3 months ago

Wrote a comment here. I hope that it is sufficient.

https://bugzilla.redhat.com/show_bug.cgi?id=2138907#c30

topazus commented 3 months ago

Wrote a comment here. I hope that it is sufficient.

https://bugzilla.redhat.com/show_bug.cgi?id=2138907#c30

Thanks, I got this notification.