Snapshots mtime breaks digests

Snapshots mtime breaks digests

[anrxc]

Hello, GNU/Linux distributions are trying to package my little software 
by grabbing the Cgit auto generated tarball of the latest release but 
their build systems use md5sum or sha1sum which then complain the hash 
no longer matches the official release.

I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled 
on http://git.sysphere.org I presume the mtime changes when the original 
tarball expires from the Cgit cache and I didn't find anything in the 
cgitrc manual so far.

Anyone knows of a workaround I can apply to keep these folks happy? 
Thanks.


Here's the disection of what happens: 

$ diff -u <(hd vicious-2.0.4.tar.gz) <(hd vicious-2.0.4\ \(1\).tar.gz)
--- /proc/self/fd/11 2012-04-18 21:52:54.970674733 +0200
+++ /proc/self/fd/12 2012-04-18 21:52:54.970674733 +0200
@@ -1,4 +1,4 @@
-00000000 1f 8b 08 00 f8 e8 8d 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
+00000000 1f 8b 08 00 d6 1a 8f 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
00000010 92 e6 bc 8e ff 0a 87 5e 24 61 42 91 bc 0f 15 06 |.......^$aB.....|
00000020 8b 2c 29 55 95 33 ba 20 a9 b6 a6 31 68 14 9c 74 |.,)U.3. ...1h..t|
00000030 67 24 3b 23 c8 68 1e 4a 45 3f ec 6f 5f 3b dc 49 |g$;#.h.JE?.o_;.I|


Tarballs are the same:

$ gunzip vicious-2.0.4.tar.gz
$ gunzip vicious-2.0.4\ \(1\).tar.gz
$ md5sum vicious-2.0.4*
2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4 (1).tar
2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4.tar

As defined here[1], byte which change are mtime field.

[1]: http://tools.ietf.org/html/rfc1952#page-5



-- 
Adrian C. (anrxc) | anrxc..sysphere.org | PGP ID: D20A0618
PGP FP: 02A5 628A D8EE 2A93 996E  929F D5CB 31B7 D20A 0618

Snapshots mtime breaks digests

[mailings]

On 27-04-12 04:14, Adrian C. wrote:
> Hello, GNU/Linux distributions are trying to package my little software
> by grabbing the Cgit auto generated tarball of the latest release but
> their build systems use md5sum or sha1sum which then complain the hash
> no longer matches the official release.
>
> I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled
> on http://git.sysphere.org I presume the mtime changes when the original
> tarball expires from the Cgit cache and I didn't find anything in the
> cgitrc manual so far.
>
> Anyone knows of a workaround I can apply to keep these folks happy?
> Thanks.
>
>
> Here's the disection of what happens:
>
> $ diff -u<(hd vicious-2.0.4.tar.gz)<(hd vicious-2.0.4\ \(1\).tar.gz)
> --- /proc/self/fd/11 2012-04-18 21:52:54.970674733 +0200
> +++ /proc/self/fd/12 2012-04-18 21:52:54.970674733 +0200
> @@ -1,4 +1,4 @@
> -00000000 1f 8b 08 00 f8 e8 8d 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
> +00000000 1f 8b 08 00 d6 1a 8f 4f 00 03 ec 7d 59 8f dc 48 |.......O...}Y..H|
> 00000010 92 e6 bc 8e ff 0a 87 5e 24 61 42 91 bc 0f 15 06 |.......^$aB.....|
> 00000020 8b 2c 29 55 95 33 ba 20 a9 b6 a6 31 68 14 9c 74 |.,)U.3. ...1h..t|
> 00000030 67 24 3b 23 c8 68 1e 4a 45 3f ec 6f 5f 3b dc 49 |g$;#.h.JE?.o_;.I|
>
>
> Tarballs are the same:
>
> $ gunzip vicious-2.0.4.tar.gz
> $ gunzip vicious-2.0.4\ \(1\).tar.gz
> $ md5sum vicious-2.0.4*
> 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4 (1).tar
> 2f83e422d99e67099fbeab8cb4314f69 vicious-2.0.4.tar
>

As you demonstrate perfectly here yourself, the _contents_ of the 
tarball must be checked, not the tarball itself because that is 
generated on the fly.



> As defined here[1], byte which change are mtime field.
>
> [1]: http://tools.ietf.org/html/rfc1952#page-5
>
>
>

-- 
Ferry Huberts

Snapshots mtime breaks digests

[dpmcgee]

On Fri, Apr 27, 2012 at 3:03 AM, Ferry Huberts <mailings at hupie.com> wrote:
> On 27-04-12 04:14, Adrian C. wrote:
>> I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled
>> on http://git.sysphere.org I presume the mtime changes when the original
>> tarball expires from the Cgit cache and I didn't find anything in the
>> cgitrc manual so far.
>>
>> Anyone knows of a workaround I can apply to keep these folks happy?
>> Thanks.
>>
>
> As you demonstrate perfectly here yourself, the _contents_ of the tarball
> must be checked, not the tarball itself because that is generated on the
> fly.
>
>
>> As defined here[1], byte which change are mtime field.
>>
>> [1]: http://tools.ietf.org/html/rfc1952#page-5

Use anything except gzip; it is the only one having a silly field like
this. xz did not make this same mistake. Note that the `gzip -n`
program option will prevent this from being included (and thus
changing); not sure if you could patch cgit to generate tarballs in
this fashion.

-Dan

Snapshots mtime breaks digests

[nobody]

On 04/27/2012 01:42 PM, Dan McGee wrote:
>> On 27-04-12 04:14, Adrian C. wrote:
>>> I use cgit release 0.9.0.2 with Lighttpd frontend and snapshots enabled
>>> on http://git.sysphere.org I presume the mtime changes when the original
>>> tarball expires from the Cgit cache and I didn't find anything in the
>>> cgitrc manual so far.
>>>
>>> Anyone knows of a workaround I can apply to keep these folks happy?
>>> Thanks.
> 
> Use anything except gzip; it is the only one having a silly field like
> this. xz did not make this same mistake. Note that the `gzip -n`
> program option will prevent this from being included (and thus
> changing); not sure if you could patch cgit to generate tarballs in
> this fashion.

Couldn't the date also be based on the time of the last change?

Best Regards,
Christian Franke

Snapshots mtime breaks digests

[anrxc]

Thanks to everyone for fast tips.

-- 
Adrian C. (anrxc) | anrxc..sysphere.org | PGP ID: D20A0618
PGP FP: 02A5 628A D8EE 2A93 996E  929F D5CB 31B7 D20A 0618