From mboxrd@z Thu Jan 1 00:00:00 1970 From: mailings at hupie.com (Ferry Huberts) Date: Fri, 27 Apr 2012 10:03:24 +0200 Subject: Snapshots mtime breaks digests In-Reply-To: References: Message-ID: <4F9A52CC.1020602@hupie.com> On 27-04-12 04:14, Adrian C. wrote: > Hello, GNU/Linux distributions are trying to package my little software > by grabbing the Cgit auto generated tarball of the latest release but > their build systems use md5sum or sha1sum which then complain the hash > no longer matches the official release. > > I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled > on http://git.sysphere.org I presume the mtime changes when the original > tarball expires from the Cgit cache and I didn't find anything in the > cgitrc manual so far. > > Anyone knows of a workaround I can apply to keep these folks happy? > Thanks. > > > Here's the disection of what happens: > > $ diff -u<(hd vicious-2.0.4.tar.gz)<(hd vicious-2.0.4\ \(1\).tar.gz) > --- /proc/self/fd/11 2012-04-18 21:52:54.970674733 +0200 > +++ /proc/self/fd/12 2012-04-18 21:52:54.970674733 +0200 > @@ -1,4 +1,4 @@ > -00000000 1f 8b 08 00 f8 e8 8d 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H| > +00000000 1f 8b 08 00 d6 1a 8f 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H| > 00000010 92 e6 bc 8e ff 0a 87 5e 24 61 42 91 bc 0f 15 06 |.......^$aB.....| > 00000020 8b 2c 29 55 95 33 ba 20 a9 b6 a6 31 68 14 9c 74 |.,)U.3. ...1h..t| > 00000030 67 24 3b 23 c8 68 1e 4a 45 3f ec 6f 5f 3b dc 49 |g$;#.h.JE?.o_;.I| > > > Tarballs are the same: > > $ gunzip vicious-2.0.4.tar.gz > $ gunzip vicious-2.0.4\ \(1\).tar.gz > $ md5sum vicious-2.0.4* > 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4 (1).tar > 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4.tar > As you demonstrate perfectly here yourself, the _contents_ of the tarball must be checked, not the tarball itself because that is generated on the fly. > As defined here[1], byte which change are mtime field. > > [1]: http://tools.ietf.org/html/rfc1952#page-5 > > > -- Ferry Huberts