Bug#931175: Include hashsums when comparing packages from different sources

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#931175: Include hashsums when comparing packages from different sources
From: Christoph Berg <myon@debian.org>
Date: Thu, 27 Jun 2019 15:02:40 +0200
Message-id: <[🔎] 20190627130240.GA23534@msg.df7cb.de>
Reply-to: Christoph Berg <myon@debian.org>, 931175@bugs.debian.org

Package: apt
Version: 1.8.2
Severity: wishlist

I've just had autopkgtest explode:

https://salsa.debian.org/postgresql/postgresql/-/jobs/205099

Get:1 file:/tmp/autopkgtest.V0T9GW/binaries  libpq5 11.4-1 [165 kB]
Get:2 file:/tmp/autopkgtest.V0T9GW/binaries  libpq-dev 11.4-1 [161 kB]
...
Get:69 http://cdn-fastly.deb.debian.org/debian sid/main amd64 postgresql-server-dev-11 amd64 11.4-1 [932 kB]
Err:69 http://cdn-fastly.deb.debian.org/debian sid/main amd64 postgresql-server-dev-11 amd64 11.4-1
  Hash Sum mismatch
  Hashes of expected file:
   - SHA256:2a5e5334855a16f8f87bd1e3642c8a41109ce325583f365d77c4eb7541006612
   - MD5Sum:85b683f05d235008de3feb2d5f2a7c0c [weak]
   - Filesize:931564 [weak]
   - SHA512:fd0b27379598b896aa374b2650fb88357adbcbd1d4e7f55bfe56f535b6a1c69af75f609b616d557d1fa9d7d42be229bdd41c8faca666ea30967662c7258f4d46
  Hashes of received file:
   - SHA512:aa3effa6ba09fadb17edbeeeb76678c56371391496db12f3c74863ad5e1d1d5555e6e48e91254024925c0b87b94be577d5e188250e0bfeb72920d409db52736d
   - SHA256:2a5e5334855a16f8f87bd1e3642c8a41109ce325583f365d77c4eb7541006612
   - MD5Sum:85b683f05d235008de3feb2d5f2a7c0c [weak]
   - Filesize:931564 [weak]
  Last modification reported: Thu, 20 Jun 2019 15:44:20 +0000
...
W: Sources disagree on hashes for supposely identical version '11.4-1' of 'postgresql-server-dev-11:amd64'.

The problem is that a previous build step recompiled
postgresql-server-dev-11 11.4-1 which led to a different package, but
with the same size.

Now when apt was merging both Packages files, it determined both to be
the same based on name, version, size (and other fields). It them
"merged" the hashes from both, but because only the local file had a
SHA512, the file downloaded from the main archive didn't match it.

In most cases this CI workflow where recompiled packages have the same
version number works fine, because the packages either reproduce
completely, or have a different size.

As discussed on #debian-devel, a fix here would be to include the
hashsums when comparing packages. Please consider doing so.

(While version numbers should be unique, in practise this workflow is
quite common, so please don't break it. It works quite well except
when hitting this "almost-identical" case in the middle.)

Thanks!
Christoph

Reply to:

Prev by Date: Can i trust you my good friend?.
Next by Date: Bug#930788: creating /var/lib/dpkg/cmethopt
Previous by thread: Can i trust you my good friend?.
Next by thread: Have you received it? your (ATM CARD)
Index(es):
- Date
- Thread