Bug#931175: marked as done (Include hashsums when comparing packages from different sources)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#931175: marked as done (Include hashsums when comparing packages from different sources)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 02 Aug 2023 12:51:11 +0000
Message-id: <[🔎] handler.931175.D931175.1690980556463121.ackdone@bugs.debian.org>
Reply-to: 931175@bugs.debian.org
References: <E1qRBHs-008P7o-5F@fasolo.debian.org> <20190627130240.GA23534@msg.df7cb.de>

Your message dated Wed, 02 Aug 2023 12:49:12 +0000
with message-id <E1qRBHs-008P7o-5F@fasolo.debian.org>
and subject line Bug#931175: fixed in apt 2.7.3
has caused the Debian Bug report #931175,
regarding Include hashsums when comparing packages from different sources
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931175
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Include hashsums when comparing packages from different sources
From: Christoph Berg <myon@debian.org>
Date: Thu, 27 Jun 2019 15:02:40 +0200
Message-id: <20190627130240.GA23534@msg.df7cb.de>
Mail-followup-to: Christoph Berg <myon@debian.org>, Debian Bug Tracking System <submit@bugs.debian.org>

Package: apt
Version: 1.8.2
Severity: wishlist

I've just had autopkgtest explode:

https://salsa.debian.org/postgresql/postgresql/-/jobs/205099

Get:1 file:/tmp/autopkgtest.V0T9GW/binaries  libpq5 11.4-1 [165 kB]
Get:2 file:/tmp/autopkgtest.V0T9GW/binaries  libpq-dev 11.4-1 [161 kB]
...
Get:69 http://cdn-fastly.deb.debian.org/debian sid/main amd64 postgresql-server-dev-11 amd64 11.4-1 [932 kB]
Err:69 http://cdn-fastly.deb.debian.org/debian sid/main amd64 postgresql-server-dev-11 amd64 11.4-1
  Hash Sum mismatch
  Hashes of expected file:
   - SHA256:2a5e5334855a16f8f87bd1e3642c8a41109ce325583f365d77c4eb7541006612
   - MD5Sum:85b683f05d235008de3feb2d5f2a7c0c [weak]
   - Filesize:931564 [weak]
   - SHA512:fd0b27379598b896aa374b2650fb88357adbcbd1d4e7f55bfe56f535b6a1c69af75f609b616d557d1fa9d7d42be229bdd41c8faca666ea30967662c7258f4d46
  Hashes of received file:
   - SHA512:aa3effa6ba09fadb17edbeeeb76678c56371391496db12f3c74863ad5e1d1d5555e6e48e91254024925c0b87b94be577d5e188250e0bfeb72920d409db52736d
   - SHA256:2a5e5334855a16f8f87bd1e3642c8a41109ce325583f365d77c4eb7541006612
   - MD5Sum:85b683f05d235008de3feb2d5f2a7c0c [weak]
   - Filesize:931564 [weak]
  Last modification reported: Thu, 20 Jun 2019 15:44:20 +0000
...
W: Sources disagree on hashes for supposely identical version '11.4-1' of 'postgresql-server-dev-11:amd64'.

The problem is that a previous build step recompiled
postgresql-server-dev-11 11.4-1 which led to a different package, but
with the same size.

Now when apt was merging both Packages files, it determined both to be
the same based on name, version, size (and other fields). It them
"merged" the hashes from both, but because only the local file had a
SHA512, the file downloaded from the main archive didn't match it.

In most cases this CI workflow where recompiled packages have the same
version number works fine, because the packages either reproduce
completely, or have a different size.

As discussed on #debian-devel, a fix here would be to include the
hashsums when comparing packages. Please consider doing so.

(While version numbers should be unique, in practise this workflow is
quite common, so please don't break it. It works quite well except
when hitting this "almost-identical" case in the middle.)

Thanks!
Christoph

--- End Message ---

--- Begin Message ---

To: 931175-close@bugs.debian.org
Subject: Bug#931175: fixed in apt 2.7.3
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 02 Aug 2023 12:49:12 +0000
Message-id: <E1qRBHs-008P7o-5F@fasolo.debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>

Source: apt
Source-Version: 2.7.3
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 931175@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 02 Aug 2023 14:30:47 +0200
Source: apt
Architecture: source
Version: 2.7.3
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 931175 1033904 1033909 1040644
Changes:
 apt (2.7.3) unstable; urgency=medium
 .
   [ Tianon Gravi ]
   * Add "apt-patterns" reference to "apt list" description in apt(8)
 .
   [ Frans Spiesschaert ]
   * Dutch manpages translation update (Closes: #1033904)
   * Dutch program translation update (Closes: #1033909)
 .
   [ Mert Dirik ]
   * Turkish program translation update
 .
   [ Remus-Gabriel Chelu ]
   * Romanian program translation update (Closes: #1040644)
 .
   [ David Kalnischkies ]
   * Add apt-patterns(7) to apt{,-cache,-get} SEE ALSO sections
 .
   [ Julian Andres Klode ]
   * Compare SHA256 to check if versions are really the same (Closes: #931175)
     (LP: #2029268)
Checksums-Sha1:
 6ed5010b3caacb0880ab69ba7b0a1720bd817f9f 2945 apt_2.7.3.dsc
 75f34ab30e019ec6b547fea283181f614be0ab9b 2343000 apt_2.7.3.tar.xz
 0299ff1ed4b469d5ee4a58930ca7d658d5d28c75 7513 apt_2.7.3_source.buildinfo
Checksums-Sha256:
 6927412c35484426113eebfa6cca50c54180d877c5daa899703e8029dfe1b9b6 2945 apt_2.7.3.dsc
 9ad2eb2c4f25ce3535d9a5d8056e1fe932d6dbb58c2647cd5fc8df8c9f8def53 2343000 apt_2.7.3.tar.xz
 fbbb1bd5c5ff0e7571f45e814dc77f02fcd4d77fcc8bf62727bd6bfbcfb5e7bd 7513 apt_2.7.3_source.buildinfo
Files:
 a047a3bfc445a7ff119b5620f5b520a9 2945 admin important apt_2.7.3.dsc
 22fb228605ead8db1dd53acdfd964b7e 2343000 admin important apt_2.7.3.tar.xz
 85a7ccf8ab48267e5edb94e52114648a 7513 admin important apt_2.7.3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmTKTjYPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xRlsP/1DK1LI813Qmu9NsRBAqB51OTZK5JMEczaaJ
ApkMJsLE2CJBOEAT1mF1CtiE0v6pYVvwJGng0McvZfXrRqYG5CMwycxBlnhFBVyg
SYZX8JAF5jM99ctPWYyO1WRXE8Yh959QbGCro2xjCiLPKT3o01AEGcgb8gP491e2
VNv8CsFn6+xGBQZFGhutwQncxosZlJbN3m4Yz+hBhsLAl2yQNX4G/4uZW/6vNxh2
LvnEeCH73cYPfyhXIhHzv8QG7iT1mSoUT2P+wJEy6VCRKbRfcABzMUKO8Xa1cs4T
yuBdq6i7t0k0xS7TZcFoqPbs8clAQBPTgl4q5EW1SbntWaeK+coH0S+ANd8I6YVo
t6dqmNInbcnvojDJpBbaeaZ7YD+EWVRFASqZhsj6G8zLrqyEOKkgIGGLQrfD5581
5RZUyt74nigV2oLeBVn6useCHMCzvU5UYA94525cgppFNZulAml6vP+iaAzK61LD
mN+SX+qKTQgaDGgqpozO/ZBsAlHBet6LXni3Tm1wXVqRFU6LSN1hQYoMz4F3yNEU
Viz2MBUs8Cm0kr/Ox1ILil+wEf4P8i7BqWUuZWrFgqrqUKcghPpOLUGor4WoSBfC
yfqKiyV2gQvEBnhCHNL9yRjn9XkcAQyAOO2ZlTqAx+cz1X80TYNAkUMtHdjzr8vw
K+nE89/d
=ZXnu
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1033904: marked as done (apt: [INTL:nl] Dutch translation for the apt package's documentation)
Next by Date: Bug#1033909: marked as done (apt: [INTL:nl] Dutch translation for the apt package)
Previous by thread: Bug#1033904: marked as done (apt: [INTL:nl] Dutch translation for the apt package's documentation)
Next by thread: Bug#1033909: marked as done (apt: [INTL:nl] Dutch translation for the apt package)
Index(es):
- Date
- Thread