You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@libcloud.apache.org by "Tomaz Muraus (JIRA)" <ji...@apache.org> on 2013/12/12 15:42:07 UTC

[jira] [Commented] (LIBCLOUD-460) checksum mismatch of ".tar.gz" tarball for version 0.13.2

    [ https://issues.apache.org/jira/browse/LIBCLOUD-460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13846335#comment-13846335 ] 

Tomaz Muraus commented on LIBCLOUD-460:
---------------------------------------

Thanks for the report.

You are right, this should not happen. I just verified it and your report is correct. The md5 check sums of both the .tar.gz archives are indeed different.

After the inspection it looks like that the archive content don't differ, just the archives itself do - https://gist.github.com/Kami/7928875.

I have no idea how this happened, since we never use "python setup.py upload", but we always manually upload the same archive to PyPi server as we upload to Apache servers.

I will again try to upload the same pristine binary from Apache servers to PyPi and see what happens when I download the archive. One thing which is possible, but unlikely is that either PyPi or fastly CDN in-front of PyPi does something weird to the archive.

> checksum mismatch of ".tar.gz" tarball for version 0.13.2 
> ----------------------------------------------------------
>
>                 Key: LIBCLOUD-460
>                 URL: https://issues.apache.org/jira/browse/LIBCLOUD-460
>             Project: Libcloud
>          Issue Type: Bug
>          Components: Website
>    Affects Versions: 0.13.2
>         Environment: Building with Macports
>            Reporter: Peter Danecek
>              Labels: newbie, security
>   Original Estimate: 10m
>  Remaining Estimate: 10m
>
> I am trying to packages libcloud, and intended to use both sources of the package, ie. apache.org and PyPI. However, it seems that there is some mismatch with the .tar.gz. tarball is indeed different. The published checksums are different and indeed the corresponding packages have the respective checksum.
> However, I thing this should not really happen, at least as long the same name/version is used. 
>  



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)