libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tomaz Muraus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LIBCLOUD-460) checksum mismatch of ".tar.gz" tarball for version 0.13.2
Date Thu, 12 Dec 2013 14:42:07 GMT

    [ https://issues.apache.org/jira/browse/LIBCLOUD-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13846335#comment-13846335
] 

Tomaz Muraus commented on LIBCLOUD-460:
---------------------------------------

Thanks for the report.

You are right, this should not happen. I just verified it and your report is correct. The
md5 check sums of both the .tar.gz archives are indeed different.

After the inspection it looks like that the archive content don't differ, just the archives
itself do - https://gist.github.com/Kami/7928875.

I have no idea how this happened, since we never use "python setup.py upload", but we always
manually upload the same archive to PyPi server as we upload to Apache servers.

I will again try to upload the same pristine binary from Apache servers to PyPi and see what
happens when I download the archive. One thing which is possible, but unlikely is that either
PyPi or fastly CDN in-front of PyPi does something weird to the archive.

> checksum mismatch of ".tar.gz" tarball for version 0.13.2 
> ----------------------------------------------------------
>
>                 Key: LIBCLOUD-460
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-460
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Website
>    Affects Versions: 0.13.2
>         Environment: Building with Macports
>            Reporter: Peter Danecek
>              Labels: newbie, security
>   Original Estimate: 10m
>  Remaining Estimate: 10m
>
> I am trying to packages libcloud, and intended to use both sources of the package, ie.
apache.org and PyPI. However, it seems that there is some mismatch with the .tar.gz. tarball
is indeed different. The published checksums are different and indeed the corresponding packages
have the respective checksum.
> However, I thing this should not really happen, at least as long the same name/version
is used. 
>  



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message